From:
<http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html>
More specifically:
Sec. 99.37 What conditions apply to disclosing directory information?
(a) An educational agency or institution may disclose directory
information if it has given public notice to parents of students in
attendance and eligible students in attendance at the agency or
institution of:
(1) The types of personally identifiable information that the agency
or institution has designated as directory information;
(2) A parent's or eligible student's right to refuse to let the
agency or institution designate any or all of those types of information
about the student as directory information; and
(3) The period of time within which a parent or eligible student has
to notify the agency or institution in writing that he or she does not
want any or all of those types of information about the student
designated as directory information.
(b) An educational agency or institution may disclose directory
information about former students without meeting the conditions in
paragraph (a) of this section.
Essentially, if we get such a request, we simply blank out their name to
a "'". That fulfills the requirement, and allows us to continue to
expose posixAccount.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Essentially, if we get such a request, we simply blank out their name to a "'". That fulfills the requirement, and allows us to continue to expose posixAccount.
We leave the 'cn' alone, but set a flag (FERPA) to True. This causes the server to return 'cn' (and other personal information) only to the bound user or certain administrative users. The lack of 'cn' has no effect on Mac OS X's use of posixAccount, nor any other implementation that I have experience with. I suspect that MUST 'cn' is a bug in the definition of posixAccount -- it doesn't really make sense that it's required. I can see why 'cn' is MUST for posixGroup. Does the password file require a name?
:wes