Re: Limiting attributes through ACL

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: Limiting attributes through ACL
From: Dan Ciarniello <dciarniello@cityxpress.com>
Date: Tue, 19 Jun 2007 16:11:42 -0700
Cc: openldap-software@openldap.org
In-reply-to: <46784638.5040509@sys-net.it>
References: <46717A8F.6050506@cityxpress.com> <467196AA.3080602@sys-net.it> <4672F8A1.5040800@cityxpress.com> <33272.82.63.140.131.1181999399.squirrel@82.63.140.131> <46783785.5090800@cityxpress.com> <46784638.5040509@sys-net.it>
User-agent: Mozilla Thunderbird 1.0.8-1.1.fc4 (X11/20060501)

Pierangelo Masarati wrote:

Try something along the lines:

# allow everybody to bind, and self to change password
access to attrs=userPassword
      by self write
      by anonymous auth

# allow everybody searching for objectClass
access to filter="(objectClass=inetOrgPerson)" attrs=objectClass
      by * search

# allow everybody to read the entry and the cn
access to filter="(objectClass=inetOrgPerson)" attrs=entry,cn
      by * read

# allow only users to read the rest of the entry
access to filter="(objectClass=inetOrgPerson)"
      by users read

# allow everybody to search (but not see) everything else
access to *
       by * search

p.

That does the trick.

Grazie mille,
Dan.

References:
- Limiting attributes through ACL
  - From: Dan Ciarniello <dciarniello@cityxpress.com>
- Re: Limiting attributes through ACL
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: Limiting attributes through ACL
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: Limiting attributes through ACL
  - From: Dan Ciarniello <dciarniello@cityxpress.com>
- Re: Limiting attributes through ACL
  - From: Pierangelo Masarati <ando@sys-net.it>