Tim Gustafson wrote:
I'd like to let my account managers to clear the passwords of their managees in
the event that an employee is no longer active. So, I've got an ACL like this:
access to attrs=userPassword,sambaNTPassword
by set="this/manager & user" write
by * break
But I realized that the ACL also allows the manager to -change- a user's
password, which I don't really want.
Is there some ACL that I can grant that would let a manager remove an attribute
from another user's account, but not otherwise change the value of that
attribute?
If by "manager" you mean the rootdn, it bypasses ACL checking. If you
mean a normal user which application-wise is granted higher privileges
by ACLs, you need to make use of the granular "a" (add) and "z" (zap)
privileges (their union is "w", write).
Something like
access to attrs=userPassword,sambaNTPassword
by set="this/manager & user" z
by * break
p.
