Tuesday, April 26, 2016

[389-users] Re: ACI value selector?

On Tue, 2016-04-26 at 12:30 +0200, Simon Oscarsson wrote:
> Hi,
> I wonder if there is an ACI statement that allows to filter the response on
> attribute values. OpenLDAP has something called ACI value selector (for
> example "attrs=memberof val.childern='ou=Dummy,dc=test,dc=org'" that will
> only return attribute values for 'memberof' having a value being part of
> the subtree 'ou=Dummy,dc=test,dc=org' and filter away other memberof
> values). There is an 'targattrfiltes' statement in 389 DS, but that only
> applies on 'add' or 'delete' operations (would like to have one for 'read')

Unless I am misunderstanding your question,

you can use targetattr = "attr" to control read access to an attribute. IE:

(targetAttr = "uid" || "gid")(version3.0; acl "Read access to uid and gid"; allow (read, search) userdn="ldap:///anyone")


William Brown
Software Engineer
Red Hat, Brisbane

No comments:

Post a Comment