Hi,
I am looking for a way to allow certain support individuals to unlock ldap accounts that have been locked by too many failed auth attempts (ppolicy), however I do not want them to be able to unlock accounts that have been locked for administrative reasons. I was assuming I could use an ACL like the one below, since we lock an account for administrative reasons with the same pwdAccountLockedTime value -
{6}to dn.subtree="cn=users,dc=company,dc=com" filter=(!(pwdAccountLockedTime=000001010000Z)) by group/groupOfUniqueNames/uniqueMember.exact="cn=user_admins,cn=groups,dc=company,dc=com" write by users read {7}to dn.subtree="cn=users,dc=company,dc=com" filter=(pwdAccountLockedTime=000001010000Z) by group/groupOfUniqueNames/uniqueMember.exact="cn=super_user_admins,cn=groups,dc=company,dc=com" by users read
I know for a search with that filter, an index on pwdAccountLockedTime would be beneficial, but would it help for an acl filter?
Does this seem like a reasonable approach?
Thanks in advance,
Al