[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL question

I think one of these filters would work.

>I would like to give read access for all to objectclass=posixAccount, 
>except for the attribute description (covered by FERPA).

>It would be nice if I could do something like:
>access to attr=posixAcount,!attr=description
>access to attr=posixAccount,attr=uid,attr=gecos,etc..
>leaving off description to accomplish this.

Let us say you have the following structure as viewed in vlad:

Also, let us say that you have a "description: FERBIE" for
FERPA protected accounts.

Check the filter syntax against this:

Only accounts without the description=FERBIE should be
displayed in the testing.edu domain with this filter.

access to dn.children="cn=browsablepeople,dc=testing,dc=edu"
        by domain=.*\.testing\.edu read

Simplier yet may be this complicated combo that uses an and statement.
[Translations] --- objectclass=posixaccount [and] not(description=FURBIE)

access to dn.children="cn=browsablepeople,dc=testing,dc=edu"
        by domain=.*\.testing\.edu read

There is no reason to change unless you want to make your system more
complicated for job security. ;-)

Not many understand the filters.

>access to attr=description
>	by * none
>access to attr=posixAccount
>	by * read