[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: "hidden" attributes in openldap?
On Wed, Mar 16, 2011 at 05:31:27PM +0200, George Mamalakis wrote:
> I am trying to find a way to hide/unhide attributes on my DIT
> (openldap-2.4.21) and I cannot find a way to do this. What I mean by
> hide/unhide is that I want specific attributes to be listed with
> ldapsearch only if the owner of the records agrees. I did not find
> any feature that does this "automatically", so I tried to implement
> it through acls. I created a group called i.e. "cn=publish
> mail,ou=Groups,dc=example,dc=com" where people wishing to disclose
> their emails are members of this group. On the acl statement I
> couldn't find a way to restrict my acl based on "conditional
> attributes".
There are several ways to do that. See my paper on ACL
design for some examples:
http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/
Parts of section 10.5 might be useful, but as that is
a rather complex example I suggest you do not start
there!
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------