[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "hidden" attributes in openldap?



On Wed, Mar 16, 2011 at 05:31:27PM +0200, George Mamalakis wrote:

> I am trying to find a way to hide/unhide attributes on my DIT
> (openldap-2.4.21) and I cannot find a way to do this. What I mean by
> hide/unhide is that I want specific attributes to be listed with
> ldapsearch only if the owner of the records agrees. I did not find
> any feature that does this "automatically", so I tried to implement
> it through acls. I created a group called i.e. "cn=publish
> mail,ou=Groups,dc=example,dc=com" where people wishing to disclose
> their emails are members of this group. On the acl statement I
> couldn't find a way to restrict my acl based on "conditional
> attributes".

There are several ways to do that. See my paper on ACL
design for some examples:

	http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/

Parts of section 10.5 might be useful, but as that is
a rather complex example I suggest you do not start
there!

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------