Probably depends on what your LDAP clients are looking for.
We use LDAP for all sorts of things - directory lookups, Linux/SunOS system authentication, web site authentication, and lots more. Using an additional attribute, like "localLockedAccount" won't work because lots of our clients probably can't be configured to pay attention to that, and even if they could there are just too many different types of clients that change all the time, some of which I don't have any direct control over. Somehow breaking the ability for a user to bind against the server is really the only way to go.
Which makes me wonder if I could modify the bind ACI to disallow binding to accounts who have the "localLockedAccount" attribute set...something like:
access to attrs=userPassword,sambaNTPassword filter=(localLockedAccount!=TRUE) by self write by anonymous auth by * compare
Would that work? Can you stack "to attrs" with a "filter" statement like that?
grant delete access, then the user shouldn't be able to bind.
Can you grant delete access to a particular attribute? I guess that was my original question.
Tim Gustafson Baskin School of Engineering UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354