Hello Michael, I see this differently. One example where this is useful would be the following:* ACL rules can't be bound to the ldap operation (search, auth, add,modify, delete, ...), you can only remove e.g. some of the permission bits (e.g. access to if-operation="search" ...)Setting the privileges is IMO sufficient. I would like to e.g. add a rule at the very top of all ACL definitions: "access to attrs=uidNumber value=0 by * none stop" But this prevents that any other rule afterwards can make it *readable*. Having something like: "access to attrs=uidNumber value=0 if-operation="write,manage" by * none stop" would solve this problem. Best regards Florian -- Florian Best Open Source Software Engineer Univention GmbH be open Mary-Somerville-Str.1 28359 Bremen Tel.: +49 421 22232-0 Fax : +49 421 22232-99 best@univention.de http://www.univention.de Geschäftsführer: Peter H. Ganten HRB 20755 Amtsgericht Bremen Steuer-Nr.: 71-597-02876 |