Michael Ströder wrote: > Howard Chu wrote: >> Michael Ströder wrote: >>> Maybe I'm doing something obviously wrong but I don't see it. >>> >>> I want to limit the right to reset a counter value solely to zero with this >>> ACL directive: >>> >>> add_content_acl yes >>> [..] >>> access to >>> dn.subtree="ou=ae-dir" >>> filter="(aeStatus=0)" >>> attrs=oathHOTPCounter >>> val/integerMatch="0" >>> by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write >>> by * break >>> [..] >>> >>> The modify request looks like this (old value is 10): >>> >>> dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir >>> changetype: modify >>> replace: oathHOTPCounter >>> oathHOTPCounter: 0 >>> - >>> >>> It seems the ACL does not trigger, without the val= part the modification is >>> allowed (but to any value). I also tried other forms: >> >> Your ACL is set on a specific value. The replace op doesn't delete a specific >> value, it deletes the entire attribute. > > Hmm, so for enforcing that a client can only set a specific value I'd have to > use two ACLs: > 1. One for deleting an arbitrary value -> =z (or =zr in my case) and > 2. another one with val=0 -> =a. > > Right? Thanks for pointing out the obvious. This seems to work like I want: # allow 2FA admins to add new value 0 access to dn.subtree="ou=ae-dir" filter="(aeStatus=0)" attrs=oathHOTPCounter val/integerMatch="0" by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" =ra by * break # allow 2FA admins to delete any value access to dn.subtree="ou=ae-dir" filter="(aeStatus=0)" attrs=oathHOTPCounter by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" =rz by * none Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature