I think you're sort of overexpecting from this feature. The basic existence of "disclose" within the access privileges means that adiminstrators can get most of the advantage out of it. But think of what you are asking for: you want to be able to say "well, the whole tree must not be disclosable. According to slapd's ACL paradigm, I'll start enumerating access privileges narrow from broad, *but*, for the disclose level, I want it to work broad from narrow. I agree it would be quite useful to be able to just say "access has to be exactly what I have in mind, no more, no less", but somehow you need to be able to translate your expectation in an inevitably limited language that slapd can understand. For this reason, you need to explicitly add "disclose" access whenever you're detailing access to "narrow", since you can't expect "broad" to overcome "narrow" when "narrow" comes first. Hope I made the point. Regardless of what any of us considers the "expected" or the "favored" behavior, slapd's ACLs work like that. Either you write them the way slapd expects them, or you'll get a behavior different from expected. Of course, feel free to propose a totally different, at least identically flexible and more user-friendly way to describe access privileges.

p.

Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------