[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to replicate a single value of an attribute

To: Andrei BĂNARU <abanaru@streamwide.ro>
Subject: Re: ACL to replicate a single value of an attribute
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Wed, 1 Aug 2012 09:49:58 -0400 (EDT)
Cc: openldap-technical@openldap.org
In-reply-to: <501922C8.40303@streamwide.ro>
References: <501922C8.40303@streamwide.ro>
User-agent: Alpine 2.02 (SOC 1266 2009-07-14)

On Wed, 1 Aug 2012, Andrei B?NARU wrote:

Is it possible to create an ACL entry that will allow only the first value ofan attribute to be read ( an example would be nice ) ?
For example having userPassword with a first value using MD5 hashing and asecond value as plain text. We plan on replicating that object but we don'twant to include the plain text value of the attribute userPassword.

"First value," no. Ordering isn't guaranteed, you're setting yourself upfor pain if you make security policy around that.

But if you have {MD5}something and {SHA1}else, then you have somethingprogramatic to work with. As a result of ITS#3446 (ancient history at thispoint) you should be able to use an ACL like:


access to * attrs=userPassword val.regex=@@WhatYouWant@@ by [...]

to restrict {MD5} or {SHA1} or whatever.

References:
- ACL to replicate a single value of an attribute
  - From: Andrei BÄNARU <abanaru@streamwide.ro>

Prev by Date: ACL to replicate a single value of an attribute
Next by Date: What will happen if a user is a member of a group, but has another group as its primary group
Index(es):
- Chronological
- Thread