I'd love to see something like that as a constructed read/write attribute if
it could ever be made to happen. You could also blow apart the fields in
the SD into separate attributes to make the semantics more clear.
Joe
----- Original Message -----
From: Dmitri Gavrilov
To: ActiveDir@mail.activedir.org
Sent: Friday, October 06, 2006 6:40 PM
Subject: RE: [ActiveDir] Using an LDIF to set ACLs
Yeah, Joe's correct, dsacls or scripting is your best bet. SDDL+encoding is
also possible, but it would replace the whole SD value, which is rarely what
you really want. Usually you just need to add or remove an ACE, right? This
would require reading the old value, which is not possible with LDIF.
At some point, I looked at trying to expose the SD value as a multi-valued
string attribute, each value representing an individual ACE (e.g. in SDDL).
This is approximately what iPlanet and OpenLdap do. Unfortunately, it never
went further than that. Would have been pretty cool, and very much LDIF'able.
Alas.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
