Re: slapo-dynlist desgin question(s)

--On Saturday, January 13, 2007 1:47 PM -0800 Howard Chu <hyc(a)symas.com&gt; wrote: > You seem to be under the impression that changing the name of a piece of > data changes the nature of the data. If you have an attribute that > general users should not be able to see, then they also should not be > able to see the dynamic group derived from that attribute. Opening it up > in any way is only going to open you to the same liability you claim to > want to avoid. Please explain to me how they would see dynamic groups I haven't given them access to via acl control. This: access to dn.subtree="cn=people,dc=stanford,dc=edu" attrs=privgroup by USER compare Is much worse than access to dn.exact="cn=usergroup,cn=groups,dc=stanford,dc=edu" by USER compare I don't in any way intend to let people see groups they don't have access to *but* if I have to use the user credentials to create groups, that's essentially the position I'm forced into unless I want to make thousands and thousands of ACL's like: access to dn.subtree="cn=people,dc=stanford,dc=edu" attrs=privgroup val.regex="user-group-a" by * compare