On 16 Jan 2021, at 05:17, Gary Windham
We're running 389-Directory/188.8.131.52 B2018.304.1940.
Is it possible via ACIs to restrict read/search permission on attributes with a
My use case is that we have an "isMemberOf" attribute in our directory, and we
have some group memberships that are of a sensitive nature. I would like to have all
"isMemberOf" attribute values *except* for these sensitive ones
readable/searchable to all authenticated user DNs, and the "sensitive" ones only
readable/searchable by a particular user DN.
Any ideas? From reading the Red Hat directory server ACI documentation, I can't find
a way to do this.
No, I don't think it's possible. Access controls are based on "which
attributes you can/can't see", rather than "you can see these attributes
except these values within them".
I think that in this case, the possible solutions would be to have a isMemberOfSensitive
seperate to the isMemberOf, but that may break many other integrations.
An important question of course, is why are some group memberships sensitive? What is it
you are trying to achieve?
Thanks in advance,
Principal Enterprise Systems Architect
University Information Technology Services
The University of Arizona
Office: +1 520 626 5981
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia