Hi,
I am looking for a way to allow certain support individuals to unlock ldap accounts that have been locked by too many failed auth attempts (ppolicy), however I do not want them to be able to unlock accounts that have been locked for administrative reasons. I was assuming I could use an ACL like the one below, since we lock an account for administrative reasons with the same pwdAccountLockedTime value -
{6}to dn.subtree="cn=users,dc=company,dc=com" filter=(!(pwdAccountLockedTime=000001010000Z)) by group/groupOfUniqueNames/uniqueMember.exact="cn=user_admins,cn=groups,dc=company,dc=com" write by users read {7}to dn.subtree="cn=users,dc=company,dc=com" filter=(pwdAccountLockedTime=000001010000Z) by group/groupOfUniqueNames/uniqueMember.exact="cn=super_user_admins,cn=groups,dc=company,dc=com" by users read
I know for a search with that filter, an index on pwdAccountLockedTime would be beneficial, but would it help for an acl filter?
Does this seem like a reasonable approach?
Thanks in advance,
Al
On Thu, May 09, 2013 at 02:18:55PM -0400, Al wrote:
I am looking for a way to allow certain support individuals to unlock ldap accounts that have been locked by too many failed auth attempts (ppolicy), however I do not want them to be able to unlock accounts that have been locked for administrative reasons. I was assuming I could use an ACL like the one below, since we lock an account for administrative reasons with the same pwdAccountLockedTime value -
{6}to dn.subtree="cn=users,dc=company,dc=com" filter=(!(pwdAccountLockedTime=000001010000Z)) by group/groupOfUniqueNames/uniqueMember.exact="cn=user_admins,cn=groups,dc=company,dc=com" write by users read {7}to dn.subtree="cn=users,dc=company,dc=com" filter=(pwdAccountLockedTime=000001010000Z) by group/groupOfUniqueNames/uniqueMember.exact="cn=super_user_admins,cn=groups,dc=company,dc=com" by users read
Those ACIs control general read access - I assume you would modify them to grant write access to just the pwdAccountLockedTime attribute. In fact you may need to grant 'manage' access, as this is an operational attribute that is not usually modified directly.
I know for a search with that filter, an index on pwdAccountLockedTime would be beneficial, but would it help for an acl filter?
An index is very unlikely to make any difference to the ACL you propose.
Andrew
openldap-technical@openldap.org