[Date Prev][Date Next] [Chronological] [Thread] [Top]

group acl in what


we have the following setup: 

student(thousands) accounts are in a subtree: 


and there are many courses each having one or more intructors. 
i need to give each instructor write permissions to all his 
student's entries. A student might be enrolled in more than one course. 

i tried 2 different acls: 

1)for each student record have an attribute course
and the following acl: 

access to filter="(course=somecourse)" 
by group="c=somecourse_instructors,ou=people,o=fas" write 

this works but i have to list all course in slapd.conf 

2)add an attribute manager to each student 
so for a student taking course1 and course2 will have an entry 


and the acl: 

access to dn=".*,ou=students,ou=people,o=fas" 
by dnattr=manager write 

this seems better than the above but it is time consuming 
to go over the student entries and add for each a manager attribute 

any suggestions?