[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access per Attribute Definition based on ACL

To: openldap-software@OpenLDAP.org
Subject: Re: Access per Attribute Definition based on ACL
From: "Gary C. New" <garycnew@yahoo.com>
Date: Wed, 11 May 2005 15:40:09 -0600
In-reply-to: <hbf.20050511xvis@bombur.uio.no>
References: <d5sifm$sn$1@sea.gmane.org> <hbf.20050511xvis@bombur.uio.no>
User-agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.6) Gecko/20040115

Hallvard B Furuseth wrote:

Gary C. New writes:

Is it possible to construct an ACL to allow/disallow a specific
attribute from being access by another user based on a subsequent
attribute in the same entry?  (...)

cn=sam,dc=example,dc=net
postalAddress: 12 Sampson St
hidePostalAddress: TRUE

Something like this:

access to filter=(hidePostalAddress=TRUE) attrs=postalAddress
       by self write
       by <whoever can read it anyway> read

(and you could put "by * none" at the end for readability,
but that's the default anyway.)

See 'man slapd.access' in OpenLDAP 2.2.

Would this filter display other attributes under Sam's dn (i.e., l, st, c)? What about other dn entries (i.e., Carl, George, Sue) that do not contain the attribute "hidePostalAddress: TRUE" but that should also be displayed in the result set, without filtering out the postalAddress?

Thank you, again, for your assistance.

Respectfully,


Gary

References:
- Access per Attribute Definition based on ACL
  - From: "Gary C. New" <garycnew@yahoo.com>
- Re: Access per Attribute Definition based on ACL
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: bug fix -> version question
Next by Date: Re: Fwd: Re: Obtain Schema files from a software client
Index(es):
- Chronological
- Thread