I think the question was rather how to make an aci grant access as a function of the value of the objectclass attribute in it's entry. In the example, both objectclasses allow the cn attribute but we want the aci to apply in one case but not the other.
distinguish by objectclass ( I may want to expose cn for inetorgperson but not for residentialperson by default).
So, I don't see how your suggestion allows that distinction to be
made.
Rob.
"Kurt D. Zeilenga" wrote:
Rob,Instead of a filter restricted to object classes, why not
reintroduce collections concept, but define collections
as being a collection of object classes? The ACI would apply
to all attributes allowed by any of the object classes within
the collection.Kurt
At 04:45 PM 7/21/00 +0200, Rob Byrne - Sun Microsystems wrote:
Haripriya,You are right that there is no way to do this in the current draft. I think it's a useful feature and should probably be added.
It involves adding the capability to specify an LDAP filter (restricted to objectclass only ?) to the ldapACI.
Rob.
In the current model of ACL I cannot find how to actually set ACLs for a 'to be created entry' based on its objectClass. For example, I may want a set of ACLs to be present for all the objects of type inetorgperson, to expose certain attributes by default to even an unauthenticated user. It would help in this case, if I have mechanism's to set ACLs for the objectclass itself, so that any entry of that class created automatically gets these ACLs. The other alternative would be for me to set these ACLs at one parent with scope subtree and let all the entries under that parent inherit these ACLs. But this would not let me distinguish by objectclass ( I may want to expose cn for inetorgperson but not for residentialperson by default). Does anybody have ideas on this? Thanks and Regards, Haripriya