I'm not using Kerberos, but this is how I allow my users to update any
attribute in their own entry. The userPassword attribute is only visible
if you're authenticated as the entry (the "$^" hack is to catch anonymous
users, which for some reason don't match the preceeding simple *).
defaultaccess read
access to attrs=userPassword
by self write
by * none
by dn="^$" none
access to *
by self write
If you wanted some read-only attributes, just insert the following before the
"access to *":
access to attrs=read-only-attrs
by * read
-- Mark Bixby E-mail: markb@cccd.edu Coast Community College Dist. Web: http://www.cccd.edu/~markb/ District Information Services 1370 Adams Ave., Costa Mesa, CA, USA 92626-5429 Technical Support +1 714 432-5865 x7064 "You can tune a file system, but you can't tune a fish." - tunefs(1M)