[Date Prev][Date Next] [Chronological] [Thread] [Top]

best way to selectively hide attributes using ACLs

In our directory we have a large number of attributes. Sometimes we need to hide certain attributes of certain people from the public view (but the attributes can still be seen by certain privileged users)

Currently to hide an attribute, we delete the attribute and add the same attribute prefixed with a p. (e.g fax becomes pfax).

We are in the process of upgrading our directory infrastructure (from 1.2 Yikes!) and were looking at alternate ways to selectively hide attributes.

I read through

and thought we would use the idea of having a multi-valued attribute called cuPrivate.
We would add a cuPrivate=attribute for any attribute we wanted to hide for a user.
So to hide fax we would add cuPrivate=fax to the entry for that user and then have an acl like

access to filter=cuPrivate=fax attrs=fax
	  by * none

(a previous ACL gives access to everything to certain privileged users)

However this quickly became annoying, since I was going to need to create an similar ACL for every attribute. Is there a way to generalize this? Or should I not worry about having a 100 of such statements.

I did see any mention of being to use regular expressions in the filter
something like

access to filter=cuPrivate=(.*) attrs=$1
	by * none

are there better ways to do this?

I saw at the bottom of 'man slapd.conf', that they used a ';x-hidden' tag on attributes that were to be hidden but I would still need to write an ACL for every possible attribute (or at least base type) I want hidden.

Here is the example from man slapd.conf

   # Subtypes of "name" (e.g. "cn" and "ou") with the
	      # option ";x-hidden" can be searched for/compared,
	      # but are not shown.  See slapd.access(5).
	      attributeoptions x-hidden lang-
	      access to attr=name;x-hidden by * =cs

Does anyone have a good way of doing this?

Would adding regex support to the filter be bad idea?

thanks for the help,