[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL question


Unfortunately, we don't have a visibility attribute for description. And, I want all entries in posixAccount shown, regardless of what the description is. I just don't want the description attribute to be shown, as that one attribute out of posixAccount is covered by FERPA. The rest of the attributes in posixAccount are not, so they can be shown to any query.


--On Thursday, March 06, 2003 9:26 AM -0500 Theoodre Knab <tjk@annapolislinux.org> wrote:

I think one of these filters would work.

I would like to give read access for all to objectclass=posixAccount,
except for the attribute description (covered by FERPA).

It would be nice if I could do something like:
access to attr=posixAcount,!attr=description
access to attr=posixAccount,attr=uid,attr=gecos,etc..

leaving off description to accomplish this.

Let us say you have the following structure as viewed in vlad: +"cn=browsablepeople,dc=testing,dc=edu"

Also, let us say that you have a "description: FERBIE" for
FERPA protected accounts.

Check the filter syntax against this:

Only accounts without the description=FERBIE should be
displayed in the testing.edu domain with this filter.

access to dn.children="cn=browsablepeople,dc=testing,dc=edu"
        by domain=.*\.testing\.edu read

Simplier yet may be this complicated combo that uses an and statement.
[Translations] --- objectclass=posixaccount [and] not(description=FURBIE)

access to dn.children="cn=browsablepeople,dc=testing,dc=edu"
        by domain=.*\.testing\.edu read

There is no reason to change unless you want to make your system more
complicated for job security. ;-)

Not many understand the filters.

access to attr=description
	by * none

access to attr=posixAccount
	by * read


-- Quanah Gibson-Mount Senior Systems Administrator ITSS/TSS/Computing Systems Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html