[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: val/integerMatch="0"



Michael Ströder wrote:
HI!

Maybe I'm doing something obviously wrong but I don't see it.

I want to limit the right to reset a counter value solely to zero with this
ACL directive:

add_content_acl yes
[..]
access to
   dn.subtree="ou=ae-dir"
   filter="(aeStatus=0)"
   attrs=oathHOTPCounter
   val/integerMatch="0"
     by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write
     by * break
[..]

The modify request looks like this (old value is 10):

dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir
changetype: modify
replace: oathHOTPCounter
oathHOTPCounter: 0
-

It seems the ACL does not trigger, without the val= part the modification is
allowed (but to any value). I also tried other forms:

Your ACL is set on a specific value. The replace op doesn't delete a specific value, it deletes the entire attribute.


   val="0"
   val=0
   val.regex="^0$"

Can somebody help me? Thanks in advance.

Ciao, Michael.



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/