[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access per Attribute Definition based on ACL

Hallvard B Furuseth wrote:
Gary C. New writes:

Is it possible to construct an ACL to allow/disallow a specific
attribute from being access by another user based on a subsequent
attribute in the same entry?  (...)

postalAddress: 12 Sampson St
hidePostalAddress: TRUE

Something like this:

access to filter=(hidePostalAddress=TRUE) attrs=postalAddress
       by self write
       by <whoever can read it anyway> read

(and you could put "by * none" at the end for readability,
but that's the default anyway.)

See 'man slapd.access' in OpenLDAP 2.2.

Would this filter display other attributes under Sam's dn (i.e., l, st, c)? What about other dn entries (i.e., Carl, George, Sue) that do not contain the attribute "hidePostalAddress: TRUE" but that should also be displayed in the result set, without filtering out the postalAddress?

Thank you, again, for your assistance.