[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Split attributes across servers

To: sullivan@mathcom.com, openldap-software@OpenLDAP.org
Subject: Re: Split attributes across servers
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Mon, 17 Nov 2003 21:48:25 -0800
Content-disposition: inline
In-reply-to: <20031118042906.D3D86FA742@helix.mathcom.com>
References: <20031118042906.D3D86FA742@helix.mathcom.com>

--On Monday, November 17, 2003 9:29 PM -0700 Steve Sullivan <sullivan@mathcom.com> wrote:

Hi,

We'd like to have two servers, each containing part of the
attributes of a given dn.  For example,
for a given dn: uid=babs,ou=people,dc=example,dc=org

the server: ldap://public_server
would contain the public info for babs, say:  uid, sn, cn, title

and the server: ldap://secure_server
would contain the private info for babs, say: homePhone, jpegPhoto

We want some users only to see the public info,
which is easy with the standard LDAP auth mechanisms.

But we want other users to see ALL the attributes,
public and secure, as a single integrated record.
Is there a way to integrate these two servers so they
could return a single record with ALL the attributes?

The reason is that different institutions will host the
servers, and the secure server folks don't want to manage the
public info, and the public server folks don't want to know
the secure info.

Use a single entry, and have privacy/security settings for various attributes. There is no way to split up an entry that I know of, it essentially violates the entire idea of having a container that contains attributes. Stanford University deals with this in having to deal with FERPA/HIPPA requirements of security of students & patients, so we've had to invest quite a bit of thought in how to implement privacy rules that honor those laws. We basically have attributes that specify whether other attributes are world, stanford, or private view. World means anyone can see it, stanford means only Stanford authenticated users can see it, and private means only very special priviliged applications can see it.

An example for home telephone number:

suVisibHomePhone=world
homephone = 1 234 567-8910

The acls would look like:

access to dn.children="cn=people,dc=stanford,dc=edu" filter=(suVisibHomePhone=stanford) attrs=homePhone by group.base="cn=stanfordauth,cn=applications,dc=stanford,dc=edu" read by dn.base="cn=accounts,dc=stanford,dc=edu" read by * break

access to dn.children="cn=people,dc=stanford,dc=edu" filter=(suVisibHomePhone=world) attrs=homePhone by group.base="cn=stanfordauth,cn=applications,dc=stanford,dc=edu" read by dn.base="cn=accounts,dc=stanford,dc=edu" read by anonymous read by * break

Note that we do not give * access when the settings is world.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- Split attributes across servers
  - From: Steve Sullivan <sullivan@mathcom.com>

Prev by Date: Split attributes across servers
Next by Date: Re: multimaster help/advice
Index(es):
- Chronological
- Thread