Michael Ströder wrote: > Howard Chu wrote: >> Michael Ströder wrote: >>> Maybe I'm doing something obviously wrong but I don't see it. >>> >>> I want to limit the right to reset a counter value solely to zero with this >>> ACL directive: >>> >>> add_content_acl yes >>> [..] >>> access to >>> dn.subtree="ou=ae-dir" >>> filter="(aeStatus=0)" >>> attrs=oathHOTPCounter >>> val/integerMatch="0" >>> by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write >>> by * break >>> [..] >>> >>> The modify request looks like this (old value is 10): >>> >>> dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir >>> changetype: modify >>> replace: oathHOTPCounter >>> oathHOTPCounter: 0 >>> - >>> >>> It seems the ACL does not trigger, without the val= part the modification is >>> allowed (but to any value). I also tried other forms: >> >> Your ACL is set on a specific value. The replace op doesn't delete a specific >> value, it deletes the entire attribute. > > Hmm, so for enforcing that a client can only set a specific value I'd have to > use two ACLs: > 1. One for deleting an arbitrary value -> =z (or =zr in my case) and > 2. another one with val=0 -> =a. > > Right?
Thanks for pointing out the obvious.
This seems to work like I want:
# allow 2FA admins to add new value 0
access to
dn.subtree="ou=ae-dir"
filter="(aeStatus=0)"
attrs=oathHOTPCounter
val/integerMatch="0"
by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" =ra
by * break
# allow 2FA admins to delete any value
access to
dn.subtree="ou=ae-dir"
filter="(aeStatus=0)"
attrs=oathHOTPCounter
by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" =rz
by * none
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
