I'd like the following:
1) cn=Manager,dc=example,dc=com can access everything in dc=example,dc=com (DONE)
2) All posixAccount or inetOrgPerson objects in ou=people,dc=example,dc=com should be allowed to change the password of the "self" entry (sorry lacking better terms don't know if that's appropriate) but noone else (except for Manager of course)
First of all you can use such a subtreeSpecification:
{ specificationFilter or:{ item:posixAccount, item:inetOrgPerson } }
{
identificationTag "allowUserToChangeHisOrHerPassword_ACI",
precedence 10, authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses { thisEntry },
userPermissions
{
{
protectedItems { entry },
grantsAndDenials { grantModify }
},
{
protectedItems { allAttributeValues { userPassword } },
grantsAndDenials { grantRemove, grantAdd }
}
}
}
}
If you want to allow the use to be able to read his/her password value you need to grantRead in the second UserPermission.
For this ACI to work, the userPassword attribute should have an existing value before the user tries to add a value. Because otherwise it will mean the creation of the attribute, and the use will need a grantAdd on the attributeType userPassword (which is still possible with our ACI system).