Re: Documentation request

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On Thursday, September 20, 2007 6:37 PM -0700 Russ Allbery 
<rra@stanford.edu> wrote:

> Howard Chu <hyc@symas.com> writes:
>
> > So, for those of you using sets - why are they useful to you, and in what
> > ways are they still too limited? I personally am concerned that they are
> > too expensive to evaluate; if we could provide similar features using a
> > less general model that would be worth exploring too.
>
> I inherited this setup, so I don't know how useful it is or if there are
> better ways of expressing the same thing, but we use it for:
>
> access to dn.children="cn=people,dc=stanford,dc=edu"
>         by set.exact="this/uid & user/uid" sasl_ssf=56 read

This allows users who bind to the server to read their person entry when 
their binding user id matches the user id in the people tree.

> access to dn.children="cn=nis,dc=stanford,dc=edu"
>         by set.exact="this/host & user" sasl_ssf=56 read

This was an experimental ACL for doing host based restrictions of user 
logins.  It currently will never be used since this was never deployed. 
Still a cool idea though, I think. ;)

> access to dn.children="cn=accounts,dc=stanford,dc=edu"
>         by set.exact="this/uid & user/uid" sasl_ssf=56 read
>         by * break

This allows users who bind to the server to read their account entry when 
their binding user id matches the user id in the entry in the account tree.

Basically, the first and third acls allow Stanford users to have full read 
on their own data, but keeps the restrictions in place on all other peoples 
data in both trees.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration