[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control



On Tue, 25 May 2004, John Borwick wrote:

> Here's a rule I wrote yesterday:
> 
> access to dn.subtree="ou=Users,dc=wfu,dc=edu"
>          attr=entry,wfuIsPublic,objectClass,uid
>          filter=(wfuIsPublic=Y)
>          by * read

What is the performance impact of this?

For legacy reasons (early implementations of openldap and Netscape DS), 
Brandeis still implements this sort of thing by leaving private attributes 
*blank* and defining "brFerpaMail" etc. attributes that particular 
applications need to look for specifically, but switching to the above 
would be nice...

> For others: does the "group" specification used here respect "memberOf"?

Nope, that's an ActiveDirectory thingie.
-- 
Rich Graves <rcgraves@brandeis.edu>
UNet Systems Administrator