Re: Need some help with ACLs

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Thursday, September 21, 2006 12:13 AM -0700 Howard Chu <hyc@symas.com> 
wrote:

> Rob Tanner wrote:
> > On 09/20/2006 01:57 PM, Quanah Gibson-Mount wrote:
>
> > > access to dn.subtree="ou=classlists,o=linfield.edu"
> > >         by dnattr=owner write
> > > access to dn.subtree="ou=classlists,o=linfield.edu"
> > > attrs=uniquemember,owner
> > >     by * none
> > > access to dn.subtree="ou=classlists,o=linfield.edu"
> > >     by * read
>
> > This gets me half way to my goal.  With the first ACL in place and
> > logging in as an owner (my DN in the owner attribute), I can see all the
> > nodes immediately beneath "ou=classlists,o=linfield.edu", but I cannot
> > see objects beneath them.
>
> The above was wrong anyway. It should have been:

Actually, the above was not wrong.  Your ACL's are more concise, but lose 
some of the detail.  There are cases where such a specific breakout can be 
useful, particularly when dealing with things like FERPA where you can get 
audited by people who have very little understanding of anything technical, 
and it is much simpler to have it broken down in a way that makes it easier 
for them to understand what it is that is happening.  It also depends on 
how your ACL file is structured, I do something very similar for both of 
these reasons in my own ACL's.  In any case, both sets of ACLs work, it 
simply depends on what your intent is outside of that.

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html