I'd love to see something like that as a constructed read/write attribute if it could ever be made to happen. You could also blow apart the fields in the SD into separate attributes to make the semantics more clear.


----- Original Message ----- From: Dmitri Gavrilov
To: ActiveDir@mail.activedir.org
Sent: Friday, October 06, 2006 6:40 PM
Subject: RE: [ActiveDir] Using an LDIF to set ACLs

Yeah, Joe's correct, dsacls or scripting is your best bet. SDDL+encoding is also possible, but it would replace the whole SD value, which is rarely what you really want. Usually you just need to add or remove an ACE, right? This would require reading the old value, which is not possible with LDIF.

At some point, I looked at trying to expose the SD value as a multi-valued string attribute, each value representing an individual ACE (e.g. in SDDL). This is approximately what iPlanet and OpenLdap do. Unfortunately, it never went further than that. Would have been pretty cool, and very much LDIF'able. Alas.

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Reply via email to