On Tue, Apr 13, 2010 at 09:37:39PM +0200, Dieter Kluenter wrote:
From an ACL perspective there is really no difference between adding
an attribute and modifying its value.
No! you have to distinguish between level access model and privilege model, slapd.access(5)
<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+
The privilege model is more flexible, but in the case that Matt describes I do not see any relevant difference: he wants admins to add certain attributes and also to modify them. Either action requires at least 'add' privilge on the attribute, and changing existing values also requires 'delete' - thus 'write' is a reasonable level to choose.
One comment I would make about your ACLs is that in several places you are granting read access to userPassword. This is not usually necessary nor is it a good idea. You need 'by * auth' access to permit authentication, but only need to give '=w' access to those who need to change passwords. Remember that the 'write' keyword includes read access
'=w' just grants write privilege but no read privilege.
Exactly. Protecting password attributes is a case that the privilege model handles much better than the level model.
Andrew