On 04/27/2016 01:00 AM, William Brown wrote:
On Tue, 2016-04-26 at 12:30 +0200, Simon Oscarsson wrote:
> Hi,
>
> I wonder if there is an ACI statement that allows to filter the response on
> attribute values. OpenLDAP has something called ACI value selector (for
> example "attrs=memberof val.childern='ou=Dummy,dc=test,dc=org'"
that will
> only return attribute values for 'memberof' having a value being part of
> the subtree 'ou=Dummy,dc=test,dc=org' and filter away other memberof
> values). There is an 'targattrfiltes' statement in 389 DS, but that only
> applies on 'add' or 'delete' operations (would like to have one for
'read')
Unless I am misunderstanding your question,
yes, he wants additional access control
by the value of the attr like we
support it with targattrfilters for add/del of values. We don't have it
for search.
targattrfilters was introduced with a specific use case in mind, like
allowing users to assign roles to themselve, but restrict from specific
roles.
It was not generalized for all operation types.
Simon,
if you need this feature you can open an RFE, but it might take some
time (versions) until it would be available.
Ludwig
you can use targetattr = "attr" to control read access to an attribute. IE:
(targetAttr = "uid" || "gid")(version3.0; acl "Read access to
uid and gid"; allow (read, search) userdn="ldap:///anyone")
--
389-users mailing list
389-users(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
Red Hat GmbH,
http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill