|
On 04/27/2016 01:00 AM, William Brown
wrote:
yes, he wants additional access control by the value of the attr like we support it with targattrfilters for add/del of values. We don't have it for search.On Tue, 2016-04-26 at 12:30 +0200, Simon Oscarsson wrote:Hi, I wonder if there is an ACI statement that allows to filter the response on attribute values. OpenLDAP has something called ACI value selector (for example "attrs=memberof val.childern='ou=Dummy,dc=test,dc=org'" that will only return attribute values for 'memberof' having a value being part of the subtree 'ou=Dummy,dc=test,dc=org' and filter away other memberof values). There is an 'targattrfiltes' statement in 389 DS, but that only applies on 'add' or 'delete' operations (would like to have one for 'read')Unless I am misunderstanding your question, targattrfilters was introduced with a specific use case in mind, like allowing users to assign roles to themselve, but restrict from specific roles. It was not generalized for all operation types. Simon, if you need this feature you can open an RFE, but it might take some time (versions) until it would be available. Ludwig you can use targetattr = "attr" to control read access to an attribute. IE: (targetAttr = "uid" || "gid")(version3.0; acl "Read access to uid and gid"; allow (read, search) userdn="ldap:///anyone") -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill |
-- 389-users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
