A Forum reader recently asked:
“Apparently a long time ago we granted users the ability to modify their own telephone numbers and other attributes that belonged to them. Now I want to get rid of that (we’re going to use UserApp, and the [This] object will work better).
Is there a way to change the individual trustee assignments without going through them one by one? I know we did it in the past, I just cannot remember how …”
And here’s the response from Aaron Burgemeister …
That should be fairly simple. Each ACL will look very distinct in its
dn: cn=admin,dc=user,dc=system acl: 6#entry#cn=admin,dc=user,dc=system#telephonenumber
This is just an example, and I guessed at the attribute name – but this is the basic idea. The first numeral (maybe not 6 in real life … I didn’t check) is the right and should be the same for all your users for Modify or Write, or whatever right you have granted. The second part is ‘entry’ or ‘subtree’ and will probably be ‘entry’ for you. The third field is (tada) your DN again. The last is the attribute itself, whatever that is (check from one of your real users).
So with a simple search/replace (regex really), you should be able to do what you need by just exporting the DNs for all users in your tree. You’ll end up with something like this:
dn: cn=user0,o=context dn: cn=user1,o=context dn: cn=user2,o=context
Now just replace everything after the DN with:
changetype: modify delete: acl acl: 6#entry#theStuffAfterTheDN#telephonenumber
The regex is needed to get ‘theStuffAfterTheDN’ to be cn=user0,o=context
or cn=user1,o=context, etc.