HI! Maybe I'm doing something obviously wrong but I don't see it. I want to limit the right to reset a counter value solely to zero with this ACL directive: add_content_acl yes [..] access to dn.subtree="ou=ae-dir" filter="(aeStatus=0)" attrs=oathHOTPCounter val/integerMatch="0" by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write by * break [..] The modify request looks like this (old value is 10): dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir changetype: modify replace: oathHOTPCounter oathHOTPCounter: 0 - It seems the ACL does not trigger, without the val= part the modification is allowed (but to any value). I also tried other forms:

val="0" val=0 val.regex="^0$" Can somebody help me? Thanks in advance. Ciao, Michael.

Howard Chu wrote: > Michael Ströder wrote: >> Maybe I'm doing something obviously wrong but I don't see it. >> >> I want to limit the right to reset a counter value solely to zero with this >> ACL directive: >> >> add_content_acl yes >> [..] >> access to >> dn.subtree="ou=ae-dir" >> filter="(aeStatus=0)" >> attrs=oathHOTPCounter >> val/integerMatch="0" >> by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write >> by * break >> [..] >> >> The modify request looks like this (old value is 10): >> >> dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir >> changetype: modify >> replace: oathHOTPCounter >> oathHOTPCounter: 0 >> - >> >> It seems the ACL does not trigger, without the val= part the modification is >> allowed (but to any value). I also tried other forms: > > Your ACL is set on a specific value. The replace op doesn't delete a specific > value, it deletes the entire attribute. Hmm, so for enforcing that a client can only set a specific value I'd have to use two ACLs: 1. One for deleting an arbitrary value -> =z (or =zr in my case) and 2. another one with val=0 -> =a. Right?