[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
objectClass names in ACLs
Hello,
After careful testing I came up with explicit ACLs.
For example I have:
access to dn.one="ou=Groups,o=test"
attrs=entry,objectClass,gidNumber,cn,memberUid
by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write
by * read
access to dn.one="ou=Groups,o=test"
attrs=sambaSID,sambaGroupType,displayName
by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write
by dn.exact="cn=sambamgr,ou=Managers,o=test" read
by * none
Then I saw that I can use an objectClass name as a shorthand for all
the attributes in the class. Here I could use:
access to dn.one="ou=Groups,o=test"
attrs=entry,objectClass,posixGroup
by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write
by * read
access to dn.one="ou=Groups,o=test"
attrs=sambaGroupMapping
by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write
by dn.exact="cn=sambamgr,ou=Managers,o=test" read
by * none
I like the explicit form because it requires one to know exactly what
is needed and it gives access to no more than that.
Are there advantages to the short form (performance, readability,
ease of maintenance and/or evolution)?
What about attributes like gidNumber which are in both classes?
I guess that if I swap the two short ACLs I change the access to gidNumber.
Am I right?
With the short form should I protect expicitly attributes (like userPassword
of posixGroup) which do not appear currently in my directory but may be
added later?
Any advice would be appreciated.
Regards,
Thierry.