Am 20.07.20 um 16:15 schrieb Olivier -:
Thanks but that not what I wish to do.
In fact, I would like to have different behaviors depending on who is querying OR what is inside the data

Example :

The record is :
   dn: cn=Smith,ou=public,c=com
   confidentiality: 1
   sn: Smith

if mister_privilege request "sn" on this record , it will reply 'Smith'
if  mister_no_privilege request "sn" on this record , it will reply 'xxx'

Can we do something like this ?

Yes you can, but AFAICS such is only possible via a customized OpenLDAP overlay. Before writing such you  need not only to specify the confidentiality flag, but also how you define mister_priviledge (would it be everyone with the flag canSeeConfidential=TRUE? Or will it be the membership of a particular group?)


The ACL based solution will in any case be much cheaper. You can put ACLs also to single attributes, so that in this case you would be, e.g.,  able to hide sn but give away givenName. The difference to your requirement is, that the non priviledged sees nothing instead of seeing "XXX".

Cheers,

Peter





Thanks !

De : Marc Roos <M.Roos@f1-outsourcing.eu>
Envoyé : lundi 22 juin 2020 18:12
À : openldap-technical <openldap-technical@openldap.org>; piwako <piwako@outlook.fr>
Objet : RE: anonymize data
 

Maybe use acls with different ssf? This way you can keep your queries
the same and extract full data on your own very secure connection?


-----Original Message-----
To: openldap-technical@openldap.org
Subject: anonymize data

Hi all,

I have a question anonymizing data.
My openldap have some confidential data inside and I would like this  :
if a person has a flag confidentiality set to 1 (or is in a special ou),
openldap will replace or answer a different data.


For example :


if we request "sn" on this record , it will reply "Smith"

dn: cn=Smith,ou=public,c=com
confidentiality: 0
sn: Smith

if we request "sn" on this record , it will reply "XXX"

dn: cn=Bond,ou=public,c=com
confidentiality: 1

sn: Bond

I'm not sur Openldap can offer this kind of functionnality.
Thanks for your help !







-- 

Peter Gietz, CEO

DAASI International GmbH        
Europaplatz 3                   
D-72072 Tübingen                
Germany                    

phone: +49 7071 407109-0
fax:   +49 7071 407109-9  
email: peter.gietz@daasi.de
web:   www.daasi.de

Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz