[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL question

To: Theoodre Knab <tjk@annapolislinux.org>, openldap-software@OpenLDAP.org
Subject: Re: ACL question
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Thu, 06 Mar 2003 06:47:47 -0800
Content-disposition: inline
In-reply-to: <20030306142639.GA15275@annapolislinux.org>
References: <698359167.1046899637@cadabra-dsl.stanford.edu> <20030306142639.GA15275@annapolislinux.org>

Theodore,

Unfortunately, we don't have a visibility attribute for description. And, I want all entries in posixAccount shown, regardless of what the description is. I just don't want the description attribute to be shown, as that one attribute out of posixAccount is covered by FERPA. The rest of the attributes in posixAccount are not, so they can be shown to any query.

--Quanah

--On Thursday, March 06, 2003 9:26 AM -0500 Theoodre Knab <tjk@annapolislinux.org> wrote:

I think one of these filters would work.

I would like to give read access for all to objectclass=posixAccount,
except for the attribute description (covered by FERPA).

It would be nice if I could do something like:
access to attr=posixAcount,!attr=description
or
access to attr=posixAccount,attr=uid,attr=gecos,etc..

leaving off description to accomplish this.


Let us say you have the following structure as viewed in vlad:
    +"cn=browsablepeople,dc=testing,dc=edu"

Also, let us say that you have a "description: FERBIE" for
FERPA protected accounts.

Check the filter syntax against this:
http://www.OpenLDAP.org/doc/admin/

Only accounts without the description=FERBIE should be
displayed in the testing.edu domain with this filter.

access to dn.children="cn=browsablepeople,dc=testing,dc=edu"
        filter=(objectclass=posixAccount)
        filter=(!(description=FERBIE))
        by domain=.*\.testing\.edu read

Simplier yet may be this complicated combo that uses an and statement.
[Translations] --- objectclass=posixaccount [and] not(description=FURBIE)

access to dn.children="cn=browsablepeople,dc=testing,dc=edu"
        filter=((&objectclass=posixAccount)(!(description=FERBIE)))
        by domain=.*\.testing\.edu read

There is no reason to change unless you want to make your system more
complicated for job security. ;-)

Not many understand the filters.

access to attr=description
	by * none

access to attr=posixAccount
	by * read

-Ted


--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- ACL question
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: ACL question
  - From: Theoodre Knab <tjk@annapolislinux.org>

Prev by Date: Re: ACL question
Next by Date: Re: updated app schemas?
Index(es):
- Chronological
- Thread