On Tue, 29 Jun 2010, Tim Gustafson wrote:
access to attrs=userPassword,sambaNTPassword by set="this/manager & user" write by * break
But I realized that the ACL also allows the manager to -change- a user's password, which I don't really want.
Is there some ACL that I can grant that would let a manager remove an attribute from another user's account, but not otherwise change the value of that attribute?
Probably depends on what your LDAP clients are looking for. Some ideas to think about:
grant delete access, then the user shouldn't be able to bind. (Assuming compatible schema and applications.)
grant write access to some sort of "enabled" attribute:
* Perhaps you're using shadowAccounts, or an LDAP group that you could allow managers to write to (perhaps with a set and/or regex that ensures that they only write/delete DNs relevant to their own employees), or it'd be worth registering your own localAttributeManagerDisabled, or.....