Michael Ströder wrote:
Howard Chu wrote:
> Michael Ströder wrote:
>> Maybe I'm doing something obviously wrong but I don't see it.
>>
>> I want to limit the right to reset a counter value solely to zero with this
>> ACL directive:
>>
>> add_content_acl yes
>> [..]
>> access to
>> dn.subtree="ou=ae-dir"
>> filter="(aeStatus=0)"
>> attrs=oathHOTPCounter
>> val/integerMatch="0"
>> by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write
>> by * break
>> [..]
>>
>> The modify request looks like this (old value is 10):
>>
>> dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir
>> changetype: modify
>> replace: oathHOTPCounter
>> oathHOTPCounter: 0
>> -
>>
>> It seems the ACL does not trigger, without the val= part the modification is
>> allowed (but to any value). I also tried other forms:
>
> Your ACL is set on a specific value. The replace op doesn't delete a specific
> value, it deletes the entire attribute.
Hmm, so for enforcing that a client can only set a specific value I'd have to
use two ACLs:
1. One for deleting an arbitrary value -> =z (or =zr in my case) and
2. another one with val=0 -> =a.
Right?
Thanks for pointing out the obvious.
This seems to work like I want:
# allow 2FA admins to add new value 0
access to
dn.subtree="ou=ae-dir"
filter="(aeStatus=0)"
attrs=oathHOTPCounter
val/integerMatch="0"
by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" =ra
by * break
# allow 2FA admins to delete any value
access to
dn.subtree="ou=ae-dir"
filter="(aeStatus=0)"
attrs=oathHOTPCounter
by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" =rz
by * none
Ciao, Michael.