On Tue, 2016-04-26 at 12:30 +0200, Simon Oscarsson wrote:
> Hi,
>
> I wonder if there is an ACI statement that allows to filter the response on
> attribute values. OpenLDAP has something called ACI value selector (for
> example "attrs=memberof val.childern='ou=Dummy,dc=test,dc=org'" that will
> only return attribute values for 'memberof' having a value being part of
> the subtree 'ou=Dummy,dc=test,dc=org' and filter away other memberof
> values). There is an 'targattrfiltes' statement in 389 DS, but that only
> applies on 'add' or 'delete' operations (would like to have one for 'read')
Unless I am misunderstanding your question,
you can use targetattr = "attr" to control read access to an attribute. IE:
(targetAttr = "uid" || "gid")(version3.0; acl "Read access to uid and gid"; allow (read, search) userdn="ldap:///anyone")
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane
No comments:
Post a Comment