[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control

To: openldap-software@OpenLDAP.org
Subject: Re: Access control
From: Rich Graves <rcgraves@brandeis.edu>
Date: Tue, 25 May 2004 14:05:18 -0400 (EDT)
In-reply-to: <40B38760.3000306@wfu.edu>

On Tue, 25 May 2004, John Borwick wrote:

> Here's a rule I wrote yesterday:
> 
> access to dn.subtree="ou=Users,dc=wfu,dc=edu"
>          attr=entry,wfuIsPublic,objectClass,uid
>          filter=(wfuIsPublic=Y)
>          by * read

What is the performance impact of this?

For legacy reasons (early implementations of openldap and Netscape DS), 
Brandeis still implements this sort of thing by leaving private attributes 
*blank* and defining "brFerpaMail" etc. attributes that particular 
applications need to look for specifically, but switching to the above 
would be nice...

> For others: does the "group" specification used here respect "memberOf"?

Nope, that's an ActiveDirectory thingie.
-- 
Rich Graves <rcgraves@brandeis.edu>
UNet Systems Administrator

Follow-Ups:
- Re: Access control
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: Access control
  - From: John Borwick <borwicjh@wfu.edu>

References:
- Re: Access control
  - From: John Borwick <borwicjh@wfu.edu>

Prev by Date: Re: Access control
Next by Date: Using OpenLDAP schema syntax rules in web form validation
Index(es):
- Chronological
- Thread