Howard Chu wrote: > Michael Ströder wrote: >> Maybe I'm doing something obviously wrong but I don't see it. >> >> I want to limit the right to reset a counter value solely to zero with this >> ACL directive: >> >> add_content_acl yes >> [..] >> access to >> dn.subtree="ou=ae-dir" >> filter="(aeStatus=0)" >> attrs=oathHOTPCounter >> val/integerMatch="0" >> by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write >> by * break >> [..] >> >> The modify request looks like this (old value is 10): >> >> dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir >> changetype: modify >> replace: oathHOTPCounter >> oathHOTPCounter: 0 >> - >> >> It seems the ACL does not trigger, without the val= part the modification is >> allowed (but to any value). I also tried other forms: > > Your ACL is set on a specific value. The replace op doesn't delete a specific > value, it deletes the entire attribute. Hmm, so for enforcing that a client can only set a specific value I'd have to use two ACLs: 1. One for deleting an arbitrary value -> =z (or =zr in my case) and 2. another one with val=0 -> =a. Right? Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature