Andrew Findlay andrew.findlay@skills-1st.co.uk writes:
On Mon, Apr 12, 2010 at 01:14:40PM -0400, Matt Ingram wrote:
[...]
From an ACL perspective there is really no difference between adding
an attribute and modifying its value.
No! you have to distinguish between level access model and privilege model, slapd.access(5)
<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+
One comment I would make about your ACLs is that in several places you are granting read access to userPassword. This is not usually necessary nor is it a good idea. You need 'by * auth' access to permit authentication, but only need to give '=w' access to those who need to change passwords. Remember that the 'write' keyword includes read access
'=w' just grants write privilege but no read privilege.
-Dieter