On Tue, 29 Jun 2010, Tim Gustafson wrote:
access to attrs=userPassword,sambaNTPassword
by set="this/manager & user" write
by * break
But I realized that the ACL also allows the manager to -change- a user's
password, which I don't really want.
Is there some ACL that I can grant that would let a manager remove an attribute
from another user's account, but not otherwise change the value of that
attribute?
Probably depends on what your LDAP clients are looking for. Some ideas to
think about:
grant delete access, then the user shouldn't be able to bind. (Assuming
compatible schema and applications.)
grant write access to some sort of "enabled" attribute:
* Perhaps you're using shadowAccounts, or an LDAP group that you could
allow managers to write to (perhaps with a set and/or regex that ensures
that they only write/delete DNs relevant to their own employees), or it'd
be worth registering your own localAttributeManagerDisabled, or.....
