--On Thursday, September 21, 2006 12:13 AM -0700 Howard Chu <[EMAIL PROTECTED]>
wrote:
Rob Tanner wrote:
On 09/20/2006 01:57 PM, Quanah Gibson-Mount wrote:
access to dn.subtree="ou=classlists,o=linfield.edu"
by dnattr=owner write
access to dn.subtree="ou=classlists,o=linfield.edu"
attrs=uniquemember,owner
by * none
access to dn.subtree="ou=classlists,o=linfield.edu"
by * read
This gets me half way to my goal. With the first ACL in place and
logging in as an owner (my DN in the owner attribute), I can see all the
nodes immediately beneath "ou=classlists,o=linfield.edu", but I cannot
see objects beneath them.
The above was wrong anyway. It should have been:
Actually, the above was not wrong. Your ACL's are more concise, but lose
some of the detail. There are cases where such a specific breakout can be
useful, particularly when dealing with things like FERPA where you can get
audited by people who have very little understanding of anything technical,
and it is much simpler to have it broken down in a way that makes it easier
for them to understand what it is that is happening. It also depends on
how your ACL file is structured, I do something very similar for both of
these reasons in my own ACL's. In any case, both sets of ACLs work, it
simply depends on what your intent is outside of that.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
