[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
best way to selectively hide attributes using ACLs
In our directory we have a large number of attributes. Sometimes we
need to hide certain attributes of certain people from the public
view (but the attributes can still be seen by certain privileged users)
Currently to hide an attribute, we delete the attribute and add the
same attribute prefixed with a p. (e.g fax becomes pfax).
We are in the process of upgrading our directory infrastructure (from
1.2 Yikes!) and were looking at alternate ways to selectively hide
attributes.
I read through
http://www.duke.edu/~gettes/giia/ldap-recipe/
and thought we would use the idea of having a multi-valued attribute
called cuPrivate.
We would add a cuPrivate=attribute for any attribute we wanted to
hide for a user.
So to hide fax we would add cuPrivate=fax to the entry for that user
and then have an acl like
access to filter=cuPrivate=fax attrs=fax
by * none
(a previous ACL gives access to everything to certain privileged users)
However this quickly became annoying, since I was going to need to
create an similar ACL for every attribute. Is there a way to
generalize this? Or should I not worry about having a 100 of such
statements.
I did see any mention of being to use regular expressions in the filter
something like
access to filter=cuPrivate=(.*) attrs=$1
by * none
are there better ways to do this?
I saw at the bottom of 'man slapd.conf', that they used a ';x-hidden'
tag on attributes that were to be hidden but I would still need to
write an ACL for every possible attribute (or at least base type) I
want hidden.
Here is the example from man slapd.conf
# Subtypes of "name" (e.g. "cn" and "ou") with the
# option ";x-hidden" can be searched for/compared,
# but are not shown. See slapd.access(5).
attributeoptions x-hidden lang-
access to attr=name;x-hidden by * =cs
Does anyone have a good way of doing this?
Would adding regex support to the filter be bad idea?
thanks for the help,
Patrick