Sir, you are a genius :)
On 11/04/16 07:31, Michael Ströder wrote:
# some entries matching filter access to attrs=userPassword filter=(!(employeeType=Archive)(employeeType=Delete)) by ..some who clauses for setting password by * auth
# all other entries access to attrs=userPassword by * none
Very slight tweak to the syntax (with huge thanks - I would not have guessed this was the required technique - I was concentrating on finding an "auth" ACL when I was googling.)
This is the full ACL list for context, should anyone find this useful. The nice thing is that I can add new employeeTypes (eg "BA" for undergrads) without breaking the core logic.
Also, this should be fundamentally more secure as we can now disable accounts in one place.
In case anyone is wondering the difference between "Archive" and "Delete", they are as follows:
"Archive" - keep the user in the libnss lists (eg getent passwd still returns them, so that file UIDs resolve). User cannot log in.
"Delete" - they vanish from libnss and other places, but we still hold their LDAP record for easy resurrection (this happens a lot - we have a class of nomadic users - they work on a project, go away, then come back on another project 2 years later).
===========================================
access to attrs=userPassword filter=(&(!(employeeType=Archive))(!(employeeType=Delete))) by peername.path="/var/run/slapd/ldapi" manage by set="user/uid & [cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk ]/memberUid" manage by self write by * auth
access to attrs=userPassword by * none
# Certain attributes that should not be publicly readable access to attrs=bindTimestamp,modifyTimestamp,modifiersName,creatorsName,creat eTimestamp by peername.path="/var/run/slapd/ldapi" manage by set="user/uid & [cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk ]/memberUid" manage by self read by * none
# The admin dn has full write access, everyone else # can read everything. Local unix domain socket (root only) # Can do everything access to * by peername.path="/var/run/slapd/ldapi" manage by set="user/uid & [cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk ]/memberUid" manage by * read ===========================================
I'll do some more testing and have a look at that "set=" inefficiency too.
Thanks very much for your help :)
Tim