Wednesday, April 27, 2016

[389-users] Re: ACI value selector?

Thanks for the quick response!

We might open a RFE for that, even though we not (in this case) will gain of it, but it would be a nice feature to extend targattrfilters for read operations also.


2016-04-27 9:11 GMT+02:00 Ludwig Krispenz <>:

On 04/27/2016 01:00 AM, William Brown wrote:
On Tue, 2016-04-26 at 12:30 +0200, Simon Oscarsson wrote:  
Hi,    I wonder if there is an ACI statement that allows to filter the response on  attribute values. OpenLDAP has something called ACI value selector (for  example "attrs=memberof val.childern='ou=Dummy,dc=test,dc=org'" that will  only return attribute values for 'memberof' having a value being part of  the subtree 'ou=Dummy,dc=test,dc=org' and filter away other memberof  values). There is an 'targattrfiltes' statement in 389 DS, but that only  applies on 'add' or 'delete' operations (would like to have one for 'read')  
Unless I am misunderstanding your question,
yes, he wants additional access control by the value of the attr like we support it with targattrfilters for add/del of values. We don't have it for search.
targattrfilters was introduced with a specific use case in mind, like allowing users to assign roles to themselve, but restrict from specific roles.
It was not generalized for all operation types.

if you need this feature you can open an RFE, but it might take some time (versions) until it would be available.

  you can use targetattr = "attr" to control read access to an attribute. IE:    (targetAttr = "uid" || "gid")(version3.0; acl "Read access to uid and gid"; allow (read, search) userdn="ldap:///anyone")        

--  389-users mailing list  

--   Red Hat GmbH,, Registered seat: Grasbrunn,   Commercial register: Amtsgericht Muenchen, HRB 153243,  Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill

389-users mailing list

No comments:

Post a Comment