[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: val/integerMatch="0"



Michael Ströder wrote:
> Howard Chu wrote:
>> Michael Ströder wrote:
>>> Maybe I'm doing something obviously wrong but I don't see it.
>>>
>>> I want to limit the right to reset a counter value solely to zero with this
>>> ACL directive:
>>>
>>> add_content_acl yes
>>> [..]
>>> access to
>>>    dn.subtree="ou=ae-dir"
>>>    filter="(aeStatus=0)"
>>>    attrs=oathHOTPCounter
>>>    val/integerMatch="0"
>>>      by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write
>>>      by * break
>>> [..]
>>>
>>> The modify request looks like this (old value is 10):
>>>
>>> dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir
>>> changetype: modify
>>> replace: oathHOTPCounter
>>> oathHOTPCounter: 0
>>> -
>>>
>>> It seems the ACL does not trigger, without the val= part the modification is
>>> allowed (but to any value). I also tried other forms:
>>
>> Your ACL is set on a specific value. The replace op doesn't delete a specific
>> value, it deletes the entire attribute.
> 
> Hmm, so for enforcing that a client can only set a specific value I'd have to
> use two ACLs:
> 1. One for deleting an arbitrary value -> =z (or =zr in my case) and
> 2. another one with val=0 -> =a.
> 
> Right?

Thanks for pointing out the obvious.

This seems to work like I want:

# allow 2FA admins to add new value 0
access to
  dn.subtree="ou=ae-dir"
  filter="(aeStatus=0)"
  attrs=oathHOTPCounter
  val/integerMatch="0"
    by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" =ra
    by * break

# allow 2FA admins to delete any value
access to
  dn.subtree="ou=ae-dir"
  filter="(aeStatus=0)"
  attrs=oathHOTPCounter
    by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" =rz
    by * none

Ciao, Michael.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature