HI!
Maybe I'm doing something obviously wrong but I don't see it.
I want to limit the right to reset a counter value solely to zero with this
ACL directive:
add_content_acl yes
[..]
access to
dn.subtree="ou=ae-dir"
filter="(aeStatus=0)"
attrs=oathHOTPCounter
val/integerMatch="0"
by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write
by * break
[..]
The modify request looks like this (old value is 10):
dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir
changetype: modify
replace: oathHOTPCounter
oathHOTPCounter: 0
-
It seems the ACL does not trigger, without the val= part the modification is
allowed (but to any value). I also tried other forms: