[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: val/integerMatch="0"

To: Michael Ströder <michael@stroeder.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: val/integerMatch="0"
From: Howard Chu <hyc@symas.com>
Date: Sun, 8 Nov 2015 01:18:10 +0000
In-reply-to: <563E6AD8.603@stroeder.com>
References: <563E6AD8.603@stroeder.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0 SeaMonkey/2.38a1

Michael Ströder wrote:

HI!

Maybe I'm doing something obviously wrong but I don't see it.

I want to limit the right to reset a counter value solely to zero with this
ACL directive:

add_content_acl yes
[..]
access to
   dn.subtree="ou=ae-dir"
   filter="(aeStatus=0)"
   attrs=oathHOTPCounter
   val/integerMatch="0"
     by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write
     by * break
[..]

The modify request looks like this (old value is 10):

dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir
changetype: modify
replace: oathHOTPCounter
oathHOTPCounter: 0
-

It seems the ACL does not trigger, without the val= part the modification is
allowed (but to any value). I also tried other forms:

Your ACL is set on a specific value. The replace op doesn't delete a specificvalue, it deletes the entire attribute.


   val="0"
   val=0
   val.regex="^0$"

Can somebody help me? Thanks in advance.

Ciao, Michael.



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: val/integerMatch="0"
  - From: Michael Ströder <michael@stroeder.com>

References:
- val/integerMatch="0"
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: val/integerMatch="0"
Next by Date: Re: val/integerMatch="0"
Index(es):
- Chronological
- Thread