[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to replicate a single value of an attribute



On Wed, 1 Aug 2012, Andrei B?NARU wrote:

Is it possible to create an ACL entry that will allow only the first value of an attribute to be read ( an example would be nice ) ?

For example having userPassword with a first value using MD5 hashing and a second value as plain text. We plan on replicating that object but we don't want to include the plain text value of the attribute userPassword.

"First value," no. Ordering isn't guaranteed, you're setting yourself up for pain if you make security policy around that.

But if you have {MD5}something and {SHA1}else, then you have something programatic to work with. As a result of ITS#3446 (ancient history at this point) you should be able to use an ACL like:

access to * attrs=userPassword val.regex=@@WhatYouWant@@ by [...]

to restrict {MD5} or {SHA1} or whatever.