[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access per Attribute Definition based on ACL

To: "Gary C. New" <garycnew@yahoo.com>
Subject: Re: Access per Attribute Definition based on ACL
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Wed, 11 May 2005 16:59:20 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <d5sifm$sn$1@sea.gmane.org>
References: <d5sifm$sn$1@sea.gmane.org>

Gary C. New writes:
> Is it possible to construct an ACL to allow/disallow a specific
> attribute from being access by another user based on a subsequent
> attribute in the same entry?  (...)
>
> cn=sam,dc=example,dc=net
> postalAddress: 12 Sampson St
> hidePostalAddress: TRUE

Something like this:

access to filter=(hidePostalAddress=TRUE) attrs=postalAddress
       by self write
       by <whoever can read it anyway> read

(and you could put "by * none" at the end for readability,
but that's the default anyway.)

See 'man slapd.access' in OpenLDAP 2.2.

-- 
Hallvard
Don't anthropomorphize computers. They hate that.

Follow-Ups:
- Re: Access per Attribute Definition based on ACL
  - From: "Gary C. New" <garycnew@yahoo.com>

References:
- Access per Attribute Definition based on ACL
  - From: "Gary C. New" <garycnew@yahoo.com>

Prev by Date: Re: Searching without matching derived attributes
Next by Date: Re: Access per Attribute Definition based on ACL
Index(es):
- Chronological
- Thread