[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Need some help with ACLs





--On Thursday, September 21, 2006 12:13 AM -0700 Howard Chu <hyc@symas.com> wrote:

Rob Tanner wrote:
On 09/20/2006 01:57 PM, Quanah Gibson-Mount wrote:

access to dn.subtree="ou=classlists,o=linfield.edu"
        by dnattr=owner write
access to dn.subtree="ou=classlists,o=linfield.edu"
attrs=uniquemember,owner
    by * none
access to dn.subtree="ou=classlists,o=linfield.edu"
    by * read

This gets me half way to my goal.  With the first ACL in place and
logging in as an owner (my DN in the owner attribute), I can see all the
nodes immediately beneath "ou=classlists,o=linfield.edu", but I cannot
see objects beneath them.

The above was wrong anyway. It should have been:

Actually, the above was not wrong. Your ACL's are more concise, but lose some of the detail. There are cases where such a specific breakout can be useful, particularly when dealing with things like FERPA where you can get audited by people who have very little understanding of anything technical, and it is much simpler to have it broken down in a way that makes it easier for them to understand what it is that is happening. It also depends on how your ACL file is structured, I do something very similar for both of these reasons in my own ACL's. In any case, both sets of ACLs work, it simply depends on what your intent is outside of that.


--Quanah


-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html