Hello,
After careful testing I came up with explicit ACLs. For example I have:
access to dn.one="ou=Groups,o=test" attrs=entry,objectClass,gidNumber,cn,memberUid by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write by * read
access to dn.one="ou=Groups,o=test" attrs=sambaSID,sambaGroupType,displayName by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write by dn.exact="cn=sambamgr,ou=Managers,o=test" read by * none
Then I saw that I can use an objectClass name as a shorthand for all the attributes in the class. Here I could use:
access to dn.one="ou=Groups,o=test" attrs=entry,objectClass,posixGroup by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write by * read
access to dn.one="ou=Groups,o=test" attrs=sambaGroupMapping by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write by dn.exact="cn=sambamgr,ou=Managers,o=test" read by * none
I like the explicit form because it requires one to know exactly what is needed and it gives access to no more than that. Are there advantages to the short form (performance, readability, ease of maintenance and/or evolution)?
What about attributes like gidNumber which are in both classes? I guess that if I swap the two short ACLs I change the access to gidNumber. Am I right?
With the short form should I protect expicitly attributes (like userPassword of posixGroup) which do not appear currently in my directory but may be added later?
Any advice would be appreciated.
Regards, Thierry.