HI!
Maybe I'm doing something obviously wrong but I don't see it.
I want to limit the right to reset a counter value solely to zero with this ACL directive:
add_content_acl yes [..] access to dn.subtree="ou=ae-dir" filter="(aeStatus=0)" attrs=oathHOTPCounter val/integerMatch="0" by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write by * break [..]
The modify request looks like this (old value is 10):
dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir changetype: modify replace: oathHOTPCounter oathHOTPCounter: 0 -
It seems the ACL does not trigger, without the val= part the modification is allowed (but to any value). I also tried other forms:
val="0" val=0 val.regex="^0$"
Can somebody help me? Thanks in advance.
Ciao, Michael.
Michael Ströder wrote:
HI!
Maybe I'm doing something obviously wrong but I don't see it.
I want to limit the right to reset a counter value solely to zero with this ACL directive:
add_content_acl yes [..] access to dn.subtree="ou=ae-dir" filter="(aeStatus=0)" attrs=oathHOTPCounter val/integerMatch="0" by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write by * break [..]
The modify request looks like this (old value is 10):
dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir changetype: modify replace: oathHOTPCounter oathHOTPCounter: 0
It seems the ACL does not trigger, without the val= part the modification is allowed (but to any value). I also tried other forms:
Your ACL is set on a specific value. The replace op doesn't delete a specific value, it deletes the entire attribute.
val="0" val=0 val.regex="^0$"
Can somebody help me? Thanks in advance.
Ciao, Michael.
Howard Chu wrote:
Michael Ströder wrote:
Maybe I'm doing something obviously wrong but I don't see it.
I want to limit the right to reset a counter value solely to zero with this ACL directive:
add_content_acl yes [..] access to dn.subtree="ou=ae-dir" filter="(aeStatus=0)" attrs=oathHOTPCounter val/integerMatch="0" by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write by * break [..]
The modify request looks like this (old value is 10):
dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir changetype: modify replace: oathHOTPCounter oathHOTPCounter: 0
It seems the ACL does not trigger, without the val= part the modification is allowed (but to any value). I also tried other forms:
Your ACL is set on a specific value. The replace op doesn't delete a specific value, it deletes the entire attribute.
Hmm, so for enforcing that a client can only set a specific value I'd have to use two ACLs: 1. One for deleting an arbitrary value -> =z (or =zr in my case) and 2. another one with val=0 -> =a.
Right?
Ciao, Michael.
Michael Ströder wrote:
Howard Chu wrote:
Michael Ströder wrote:
Maybe I'm doing something obviously wrong but I don't see it.
I want to limit the right to reset a counter value solely to zero with this ACL directive:
add_content_acl yes [..] access to dn.subtree="ou=ae-dir" filter="(aeStatus=0)" attrs=oathHOTPCounter val/integerMatch="0" by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write by * break [..]
The modify request looks like this (old value is 10):
dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir changetype: modify replace: oathHOTPCounter oathHOTPCounter: 0
It seems the ACL does not trigger, without the val= part the modification is allowed (but to any value). I also tried other forms:
Your ACL is set on a specific value. The replace op doesn't delete a specific value, it deletes the entire attribute.
Hmm, so for enforcing that a client can only set a specific value I'd have to use two ACLs:
- One for deleting an arbitrary value -> =z (or =zr in my case) and
- another one with val=0 -> =a.
Right?
Thanks for pointing out the obvious.
This seems to work like I want:
# allow 2FA admins to add new value 0 access to dn.subtree="ou=ae-dir" filter="(aeStatus=0)" attrs=oathHOTPCounter val/integerMatch="0" by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" =ra by * break
# allow 2FA admins to delete any value access to dn.subtree="ou=ae-dir" filter="(aeStatus=0)" attrs=oathHOTPCounter by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" =rz by * none
Ciao, Michael.
openldap-technical@openldap.org
-
Howard Chu -
Michael Ströder