Michael Ströder wrote:
HI!
Maybe I'm doing something obviously wrong but I don't see it.
I want to limit the right to reset a counter value solely to zero with this ACL directive:
add_content_acl yes [..] access to dn.subtree="ou=ae-dir" filter="(aeStatus=0)" attrs=oathHOTPCounter val/integerMatch="0" by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write by * break [..]
The modify request looks like this (old value is 10):
dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir changetype: modify replace: oathHOTPCounter oathHOTPCounter: 0
It seems the ACL does not trigger, without the val= part the modification is allowed (but to any value). I also tried other forms:
Your ACL is set on a specific value. The replace op doesn't delete a specific value, it deletes the entire attribute.
val="0" val=0 val.regex="^0$"
Can somebody help me? Thanks in advance.
Ciao, Michael.