Re: ACL question

[Theoodre Knab <tjk@annapolislinux.org>]

I think one of these filters would work.

>I would like to give read access for all to objectclass=posixAccount, 
>except for the attribute description (covered by FERPA).

>It would be nice if I could do something like:
>access to attr=posixAcount,!attr=description
>or
>access to attr=posixAccount,attr=uid,attr=gecos,etc..
>
>leaving off description to accomplish this.

Let us say you have the following structure as viewed in vlad:
    +"cn=browsablepeople,dc=testing,dc=edu" 

Also, let us say that you have a "description: FERBIE" for
FERPA protected accounts.

Check the filter syntax against this:
http://www.OpenLDAP.org/doc/admin/

Only accounts without the description=FERBIE should be
displayed in the testing.edu domain with this filter.

access to dn.children="cn=browsablepeople,dc=testing,dc=edu"
        filter=(objectclass=posixAccount)
        filter=(!(description=FERBIE))
        by domain=.*\.testing\.edu read

Simplier yet may be this complicated combo that uses an and statement.
[Translations] --- objectclass=posixaccount [and] not(description=FURBIE)

access to dn.children="cn=browsablepeople,dc=testing,dc=edu"
        filter=((&objectclass=posixAccount)(!(description=FERBIE)))
        by domain=.*\.testing\.edu read

There is no reason to change unless you want to make your system more
complicated for job security. ;-)

Not many understand the filters.

>access to attr=description
>	by * none
>
>access to attr=posixAccount
>	by * read

-Ted