On Wed, 30 Jun 2010, Tim Gustafson wrote:
access to attrs=userPassword,sambaNTPassword filter=(localLockedAccount!=TRUE) by self write by anonymous auth by * compare
Would that work? Can you stack "to attrs" with a "filter" statement like that?
Yes, that's a supported syntax.
grant delete access, then the user shouldn't be able to bind.
Can you grant delete access to a particular attribute? I guess that was my original question.
Sure. That's documented as one of the supported <level> choices in slapd.access(5) man page. (Note that that same page has the explicit answer to your earlier question; "The dn, filter, and attrs statements are additive; they can be used in sequence to select entities the access rule applies to based on naming context, value and attribute type simultaneously.") Perhaps a look through that is in order...