Tim Gustafson wrote:
I'd like to let my account managers to clear the passwords of their managees in the event that an employee is no longer active. So, I've got an ACL like this:
access to attrs=userPassword,sambaNTPassword by set="this/manager & user" write by * break
But I realized that the ACL also allows the manager to -change- a user's password, which I don't really want.
Is there some ACL that I can grant that would let a manager remove an attribute from another user's account, but not otherwise change the value of that attribute?
If by "manager" you mean the rootdn, it bypasses ACL checking. If you mean a normal user which application-wise is granted higher privileges by ACLs, you need to make use of the granular "a" (add) and "z" (zap) privileges (their union is "w", write).
Something like
access to attrs=userPassword,sambaNTPassword by set="this/manager & user" z by * break
p.