objectClass names in ACLs

[Thierry Lacoste <lacoste@miage.univ-paris12.fr>]

Hello,

After careful testing I came up with explicit ACLs.
For example I have:

access to dn.one="ou=Groups,o=test"
   attrs=entry,objectClass,gidNumber,cn,memberUid
      by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write
      by * read

access to dn.one="ou=Groups,o=test"
   attrs=sambaSID,sambaGroupType,displayName
      by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write
      by dn.exact="cn=sambamgr,ou=Managers,o=test" read
      by * none

Then I saw that I can use an objectClass name as a shorthand for all
the attributes in the class. Here I could use:

access to dn.one="ou=Groups,o=test"
   attrs=entry,objectClass,posixGroup
      by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write
      by * read

access to dn.one="ou=Groups,o=test"
   attrs=sambaGroupMapping
      by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write
      by dn.exact="cn=sambamgr,ou=Managers,o=test" read
      by * none

I like the explicit form because it requires one to know exactly what
is needed and it gives access to no more than that.
Are there advantages to the short form (performance, readability,
ease of maintenance and/or evolution)?

What about attributes like gidNumber which are in both classes?
I guess that if I swap the two short ACLs I change the access to gidNumber.
Am I right?

With the short form should I protect expicitly attributes (like userPassword
of posixGroup) which do not appear currently in my directory but may be
added later?

Any advice would be appreciated.

Regards,
Thierry.