[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "hidden" attributes in openldap?

On 17/3/2011 12:14 μμ, Andrew Findlay wrote:
On Wed, Mar 16, 2011 at 07:37:23PM +0200, George Mamalakis wrote:

access to dn.subtree="ou=People,dc=example,dc=com" attrs=mail
         by anonymous none
         by self write
         by set="this&  [cn=Publish Mail,ou=Groups,dc=example,dc=com]/uniqueMember " read
         by * none
Now to your paper, do you propose a solution/example that does
exactly what I wish? If so, is it located in section 10.5 explicitly
or implicitly?
Not exactly what you want, but the example in 10.5
might provide a useful framework. It works by defining
sets of attributes, then selectively granting access
to entries based on the setting of a visibility
attribute in the entry, then selectively granting
access to attribute sets based on who is asking.

You want to allow individual entries to select the
visibility of mail attributes. The group and set
scheme that you propose is one way to do that (though
I would use member rather than uniqueMember). Another
might be to use a visibility attribute in the entry
and a series of rules of the form:

access to filter="(&(objectclass=person)(visibility=mail-users))"
	by users read
	by * break

That rule would be one of a series, ending up with a
default-deny, perhaps something like this:

access to filter="(objectclass=person)"
	by * none

You would need to handle 'self' access in an earlier


thank you very much for your help. I find your approach very interesting and I will definitely look into it. It seems much more controllable/versatile than my way.

George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379