On Wed, Mar 16, 2011 at 05:31:27PM +0200, George Mamalakis wrote:
I am trying to find a way to hide/unhide attributes on my DIT (openldap-2.4.21) and I cannot find a way to do this. What I mean by hide/unhide is that I want specific attributes to be listed with ldapsearch only if the owner of the records agrees. I did not find any feature that does this "automatically", so I tried to implement it through acls. I created a group called i.e. "cn=publish mail,ou=Groups,dc=example,dc=com" where people wishing to disclose their emails are members of this group. On the acl statement I couldn't find a way to restrict my acl based on "conditional attributes".
There are several ways to do that. See my paper on ACL design for some examples:
http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/
Parts of section 10.5 might be useful, but as that is a rather complex example I suggest you do not start there!
Andrew