[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: val/integerMatch="0"



Howard Chu wrote:
> Michael Ströder wrote:
>> Maybe I'm doing something obviously wrong but I don't see it.
>>
>> I want to limit the right to reset a counter value solely to zero with this
>> ACL directive:
>>
>> add_content_acl yes
>> [..]
>> access to
>>    dn.subtree="ou=ae-dir"
>>    filter="(aeStatus=0)"
>>    attrs=oathHOTPCounter
>>    val/integerMatch="0"
>>      by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write
>>      by * break
>> [..]
>>
>> The modify request looks like this (old value is 10):
>>
>> dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir
>> changetype: modify
>> replace: oathHOTPCounter
>> oathHOTPCounter: 0
>> -
>>
>> It seems the ACL does not trigger, without the val= part the modification is
>> allowed (but to any value). I also tried other forms:
> 
> Your ACL is set on a specific value. The replace op doesn't delete a specific
> value, it deletes the entire attribute.

Hmm, so for enforcing that a client can only set a specific value I'd have to
use two ACLs:
1. One for deleting an arbitrary value -> =z (or =zr in my case) and
2. another one with val=0 -> =a.

Right?

Ciao, Michael.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature