On 2016-04-12 11:37, Tim Watts wrote:
Sir, you are a genius :)
On 11/04/16 07:31, Michael Ströder wrote:
# some entries matching filter access to attrs=userPassword filter=(!(employeeType=Archive)(employeeType=Delete)) by ..some who clauses for setting password by * auth
# all other entries access to attrs=userPassword by * none
Very slight tweak to the syntax
Ah yes, filter was wrong.
(with huge thanks - I would not have guessed this was the required technique - I was concentrating on finding an "auth" ACL when I was googling.)
Writing OpenLDAP ACLs is a bit like functional programming - at least to what I vaguely remember from my time at University many years ago.
I'd recommend to look into the OpenLDAP FAQ to find some more not so obvious examples.
Ciao, Michael.