Hi,
I wonder if there is an ACI statement that allows to filter the response on attribute values. OpenLDAP has something called ACI value selector (for example "attrs=memberof val.childern='ou=Dummy,dc=test,dc=org'" that will only return attribute values for 'memberof' having a value being part of the subtree 'ou=Dummy,dc=test,dc=org' and filter away other memberof values). There is an 'targattrfiltes' statement in 389 DS, but that only applies on 'add' or 'delete' operations (would like to have one for 'read')
Thanks /Simon
While looking for more backup information I stumbled upon this link. I think you could create one.
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Access_Control-Creati...
Also, You might try looking here, as it says they can be listed. https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Access_Control-Viewin...
Job
On Tue, 2016-04-26 at 12:30 +0200, Simon Oscarsson wrote:
Hi,
I wonder if there is an ACI statement that allows to filter the response on attribute values. OpenLDAP has something called ACI value selector (for example "attrs=memberof val.childern='ou=Dummy,dc=test,dc=org'" that will only return attribute values for 'memberof' having a value being part of the subtree 'ou=Dummy,dc=test,dc=org' and filter away other memberof values). There is an 'targattrfiltes' statement in 389 DS, but that only applies on 'add' or 'delete' operations (would like to have one for 'read')
Unless I am misunderstanding your question,
you can use targetattr = "attr" to control read access to an attribute. IE:
(targetAttr = "uid" || "gid")(version3.0; acl "Read access to uid and gid"; allow (read, search) userdn="ldap:///anyone")
On 04/27/2016 01:00 AM, William Brown wrote:
On Tue, 2016-04-26 at 12:30 +0200, Simon Oscarsson wrote:
Hi,
I wonder if there is an ACI statement that allows to filter the response on attribute values. OpenLDAP has something called ACI value selector (for example "attrs=memberof val.childern='ou=Dummy,dc=test,dc=org'" that will only return attribute values for 'memberof' having a value being part of the subtree 'ou=Dummy,dc=test,dc=org' and filter away other memberof values). There is an 'targattrfiltes' statement in 389 DS, but that only applies on 'add' or 'delete' operations (would like to have one for 'read')
Unless I am misunderstanding your question,
yes, he wants additional access control by the value of the attr like we support it with targattrfilters for add/del of values. We don't have it for search. targattrfilters was introduced with a specific use case in mind, like allowing users to assign roles to themselve, but restrict from specific roles. It was not generalized for all operation types.
Simon, if you need this feature you can open an RFE, but it might take some time (versions) until it would be available.
Ludwig
you can use targetattr = "attr" to control read access to an attribute. IE:
(targetAttr = "uid" || "gid")(version3.0; acl "Read access to uid and gid"; allow (read, search) userdn="ldap:///anyone")
-- 389-users mailing list 389-users@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
Thanks for the quick response!
We might open a RFE for that, even though we not (in this case) will gain of it, but it would be a nice feature to extend targattrfilters for read operations also.
Regards /Simon
2016-04-27 9:11 GMT+02:00 Ludwig Krispenz lkrispen@redhat.com:
On 04/27/2016 01:00 AM, William Brown wrote:
On Tue, 2016-04-26 at 12:30 +0200, Simon Oscarsson wrote:
Hi,
I wonder if there is an ACI statement that allows to filter the response on attribute values. OpenLDAP has something called ACI value selector (for example "attrs=memberof val.childern='ou=Dummy,dc=test,dc=org'" that will only return attribute values for 'memberof' having a value being part of the subtree 'ou=Dummy,dc=test,dc=org' and filter away other memberof values). There is an 'targattrfiltes' statement in 389 DS, but that only applies on 'add' or 'delete' operations (would like to have one for 'read')
Unless I am misunderstanding your question,
yes, he wants additional access control by the value of the attr like we support it with targattrfilters for add/del of values. We don't have it for search. targattrfilters was introduced with a specific use case in mind, like allowing users to assign roles to themselve, but restrict from specific roles. It was not generalized for all operation types.
Simon, if you need this feature you can open an RFE, but it might take some time (versions) until it would be available.
Ludwig
you can use targetattr = "attr" to control read access to an attribute. IE:
(targetAttr = "uid" || "gid")(version3.0; acl "Read access to uid and gid"; allow (read, search) userdn="ldap:///anyone")
-- 389-users mailing list389-users@lists.fedoraproject.orghttp://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
-- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
-- 389-users mailing list 389-users@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
389-users@lists.fedoraproject.org