On Thu, 2018-02-22 at 12:17 +0100, Angel Bosch wrote: > hi, > > I need one specific attribute to be hidden for anyone but one group. > > I've tested this one: > > (targetattr = "myCustomAttr") (version 3.0; acl "deny all but > admins"; deny (all) groupdn != > "ldap:///cn=admins,ou=Groups,dc=company,dc=global";;) > > and seems to work. > > Is this the right way to do it? A better way to write this is: (targetattr = "mycustomattr")(version 3.0; acl "allow admins mycustomattr"; allow (all) groupdn = "ldap:///cn=admins,ou=Groups,dc=company,dc=global";;) That's a better rule. > Can I face any side effects? So if you apply the "allow" rather than the deny rule here, and a "non- admin" user can read mycustomattr, that indicates a bug in your acl's. I have some posts about this which might help: https://fy.blackhats.net.au/blog/html/2015/07/04/Unit_testing_LDAP_acis _for_fun_and_profit.html?highlight=aci This is a very common "anti-pattern" I see, and it creates huge security issues. If you find with the "allow" version that this is happening, check your other rules! Hope that helps, > > regards, > > abosch > > > -- > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o > rg -- Thanks, William Brown _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
