[OpenAFS] pts membership

[Chris McClimans]

Can any authenticated user list pts membership? In the US University 
system we are all governed by FERPA and cannot release information 
(such as class enrollment) unless the students specifically allow it.

LDAP and AFS/pts are where I planned to store the grouping data that 
allows us to authorize students to resources required for a particular 
class. However, limiting the view of who is contained in these groups 
is proving difficult. The only way I see to do this for fall and still 
work under FERPA is asking the students to allow class group data 
(classes they are currently enrolled in) to be public. I'd like to 
brainstorm with anyone on technical solutions. My previous plans were 
nss_ldap and AFS and not enforce private group membership. However, now 
I'm facing Federal Law and need to comply.

I may back off of storing the information in public LDAP and only using 
PTS and application specific services with mail so that the grouping 
data can only be seen with a mail/service kerberos ticket or something.
-chris