Am 20.07.2020 um 19:57 schrieb Howard Chu:
Peter Gietz wrote:
Am 20.07.20 um 16:15 schrieb Olivier -:
Thanks but that not what I wish to do. In fact, I would like to have different behaviors depending on who is querying OR what is inside the data
Example :
The record is : dn: cn=Smith,ou=public,c=com confidentiality: 1 sn: Smith
if mister_privilege request "sn" on this record , it will reply 'Smith' if mister_no_privilege request "sn" on this record , it will reply 'xxx'
Can we do something like this ?
Yes you can, but AFAICS such is only possible via a customized OpenLDAP overlay.
No, you can do this with the standard ACL engine, using a value-specific ACL. The only caveat is you must also store the value "sn: xxx", and assign the appropriate value ACL to it so that mister_no_privilege can see it.
Good point. The question is, whether such overhead (every confidential attribute needs another value "xxx" in every entry) is worth while.
Cheers,
Peter