[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: FURPA - HIPA - Filter help -- ACL

To: Some LDAP Admin <tjk@annapolislinux.org>
Subject: Re: FURPA - HIPA - Filter help -- ACL
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 16 Feb 2003 19:40:46 +0100
Cc: OpenLDAP Software <openldap-software@OpenLDAP.org>
In-reply-to: <20030216151232.GA28184@annapolislinux.org>
Organization:
References: <20030216151232.GA28184@annapolislinux.org>

søn, 2003-02-16 kl. 16:12 skrev Some LDAP Admin:

> I was wondering how people are setting up their LDAP directory
> to include both viewable data and non-viewable data.
> 
> The FURPA Law which applies to all schools in the US requires this.

More or less every grown-up DIT would.

> How would you do something like this with LDAP ?

Have you tried splitting the acl at the point that you want privacy?
With a pencil and paper?

     dc=somecoll,dc=edu
              |
   -------------------------------
   |                             |
ou=people                  everybodyelse


That's the way I do it. To the left self can write, everybody can read,
to the right not - or you can define what you want to allow..

access to dn="cn=person,ou=people,dc=somecoll,dc=edu"
   attr=whatEverYouWant1,whatEverYouWant2
   by self write
   by dn="ou=people,dc=somecoll,dc=edu" read

   (implies "by everybodyelse, forget it")

I can go deeper and deeper, but don't particularly want to here. You can
use regexes and all that kind of thing, namely, and it begins to get
complicated then.

Best,

Tony

-- 

Tony Earnshaw

When you rob a person of his illusions,
you are robbing him of his happiness


e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl

References:
- FURPA - HIPA - Filter help -- ACL
  - From: Some LDAP Admin <tjk@annapolislinux.org>

Prev by Date: Re: Adding an attribute host yes yes yes yes
Next by Date: Re: Memory and CPU usage
Index(es):
- Chronological
- Thread