<quote who="Thierry Lacoste">
Hello,
After careful testing I came up with explicit ACLs. For example I have:
access to dn.one="ou=Groups,o=test" attrs=entry,objectClass,gidNumber,cn,memberUid by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write by * read
access to dn.one="ou=Groups,o=test" attrs=sambaSID,sambaGroupType,displayName by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write by dn.exact="cn=sambamgr,ou=Managers,o=test" read by * none
Then I saw that I can use an objectClass name as a shorthand for all the attributes in the class. Here I could use:
access to dn.one="ou=Groups,o=test" attrs=entry,objectClass,posixGroup by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write by * read
access to dn.one="ou=Groups,o=test" attrs=sambaGroupMapping by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write by dn.exact="cn=sambamgr,ou=Managers,o=test" read by * none
I like the explicit form because it requires one to know exactly what is needed and it gives access to no more than that. Are there advantages to the short form (performance, readability, ease of maintenance and/or evolution)?
Hi,
Performance:
You can test both versions by putting on ACL logging on and watching the logs or starting slapd with -d and the correct level for ACLs (don't have access to this number from here).
Readability:
Explicit version; again would indicate exactly what your intensions are.
Maintenance:
Depends on the level of knowledge the maintainer has.
What about attributes like gidNumber which are in both classes? I guess that if I swap the two short ACLs I change the access to gidNumber. Am I right?
With the short form should I protect expicitly attributes (like userPassword of posixGroup) which do not appear currently in my directory but may be added later?
To be honest, if you are using the dynamic configuration backend, you can change all of these access levels on the fly, so don't waste to much time worrying about it. Get it right first, have a dev/test/prod (or more) environment etc. and go from there.