On Tue, 2016-04-26 at 12:30 +0200, Simon Oscarsson wrote: > Hi, > > I wonder if there is an ACI statement that allows to filter the response on > attribute values. OpenLDAP has something called ACI value selector (for > example "attrs=memberof val.childern='ou=Dummy,dc=test,dc=org'" that will > only return attribute values for 'memberof' having a value being part of > the subtree 'ou=Dummy,dc=test,dc=org' and filter away other memberof > values). There is an 'targattrfiltes' statement in 389 DS, but that only > applies on 'add' or 'delete' operations (would like to have one for 'read')
Unless I am misunderstanding your question, you can use targetattr = "attr" to control read access to an attribute. IE: (targetAttr = "uid" || "gid")(version3.0; acl "Read access to uid and gid"; allow (read, search) userdn="ldap:///anyone";) -- Sincerely, William Brown Software Engineer Red Hat, Brisbane
signature.asc
Description: This is a digitally signed message part
-- 389-users mailing list 389-users@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
