I am looking for a way to allow certain support individuals to unlock
ldap accounts that have been locked by too many failed auth attempts
(ppolicy), however I do not want them to be able to unlock accounts
that have been locked for administrative reasons. I was assuming I
could use an ACL like the one below, since we lock an account for
administrative reasons with the same pwdAccountLockedTime value -
write by users read
by users read
I know for a search with that filter, an index on pwdAccountLockedTime
would be beneficial, but would it help for an acl filter?
Does this seem like a reasonable approach?
Thanks in advance,