Hi all,
I have a question anonymizing data. My openldap have some confidential data inside and I would like this : if a person has a flag confidentiality set to 1 (or is in a special ou), openldap will replace or answer a different data.
For example :
if we request "sn" on this record , it will reply "Smith" dn: cn=Smith,ou=public,c=com confidentiality: 0 sn: Smith
if we request "sn" on this record , it will reply "XXX" dn: cn=Bond,ou=public,c=com confidentiality: 1 sn: Bond
I'm not sur Openldap can offer this kind of functionnality. Thanks for your help !
Maybe use acls with different ssf? This way you can keep your queries the same and extract full data on your own very secure connection?
-----Original Message----- To: openldap-technical@openldap.org Subject: anonymize data
Hi all,
I have a question anonymizing data. My openldap have some confidential data inside and I would like this : if a person has a flag confidentiality set to 1 (or is in a special ou), openldap will replace or answer a different data.
For example :
if we request "sn" on this record , it will reply "Smith"
dn: cn=Smith,ou=public,c=com confidentiality: 0 sn: Smith
if we request "sn" on this record , it will reply "XXX"
dn: cn=Bond,ou=public,c=com confidentiality: 1
sn: Bond
I'm not sur Openldap can offer this kind of functionnality. Thanks for your help !
Thanks but that not what I wish to do. In fact, I would like to have different behaviors depending on who is querying OR what is inside the data
Example :
The record is : dn: cn=Smith,ou=public,c=com confidentiality: 1 sn: Smith
if mister_privilege request "sn" on this record , it will reply 'Smith' if mister_no_privilege request "sn" on this record , it will reply 'xxx'
Can we do something like this ?
Thanks !
________________________________ De : Marc Roos M.Roos@f1-outsourcing.eu Envoyé : lundi 22 juin 2020 18:12 À : openldap-technical openldap-technical@openldap.org; piwako piwako@outlook.fr Objet : RE: anonymize data
Maybe use acls with different ssf? This way you can keep your queries the same and extract full data on your own very secure connection?
-----Original Message----- To: openldap-technical@openldap.org Subject: anonymize data
Hi all,
I have a question anonymizing data. My openldap have some confidential data inside and I would like this : if a person has a flag confidentiality set to 1 (or is in a special ou), openldap will replace or answer a different data.
For example :
if we request "sn" on this record , it will reply "Smith"
dn: cn=Smith,ou=public,c=com confidentiality: 0 sn: Smith
if we request "sn" on this record , it will reply "XXX"
dn: cn=Bond,ou=public,c=com confidentiality: 1
sn: Bond
I'm not sur Openldap can offer this kind of functionnality. Thanks for your help !
Am 20.07.20 um 16:15 schrieb Olivier -:
Thanks but that not what I wish to do. In fact, I would like to have different behaviors depending on who is querying OR what is inside the data
Example :
The record is : dn: cn=Smith,ou=public,c=com confidentiality: 1 sn: Smith
if mister_privilege request "sn" on this record , it will reply 'Smith' if mister_no_privilege request "sn" on this record , it will reply 'xxx'
Can we do something like this ?
Yes you can, but AFAICS such is only possible via a customized OpenLDAP overlay. Before writing such you need not only to specify the confidentiality flag, but also how you define mister_priviledge (would it be everyone with the flag canSeeConfidential=TRUE? Or will it be the membership of a particular group?)
The ACL based solution will in any case be much cheaper. You can put ACLs also to single attributes, so that in this case you would be, e.g., able to hide sn but give away givenName. The difference to your requirement is, that the non priviledged sees nothing instead of seeing "XXX".
Cheers,
Peter
Thanks !
*De :* Marc Roos M.Roos@f1-outsourcing.eu *Envoyé :* lundi 22 juin 2020 18:12 *À :* openldap-technical openldap-technical@openldap.org; piwako piwako@outlook.fr *Objet :* RE: anonymize data
Maybe use acls with different ssf? This way you can keep your queries the same and extract full data on your own very secure connection?
-----Original Message----- To: openldap-technical@openldap.org Subject: anonymize data
Hi all,
I have a question anonymizing data. My openldap have some confidential data inside and I would like this : if a person has a flag confidentiality set to 1 (or is in a special ou), openldap will replace or answer a different data.
For example :
if we request "sn" on this record , it will reply "Smith"
dn: cn=Smith,ou=public,c=com confidentiality: 0 sn: Smith
if we request "sn" on this record , it will reply "XXX"
dn: cn=Bond,ou=public,c=com confidentiality: 1
sn: Bond
I'm not sur Openldap can offer this kind of functionnality. Thanks for your help !
Peter Gietz wrote:
Am 20.07.20 um 16:15 schrieb Olivier -:
Thanks but that not what I wish to do. In fact, I would like to have different behaviors depending on who is querying OR what is inside the data
Example :
The record is : dn: cn=Smith,ou=public,c=com confidentiality: 1 sn: Smith
if mister_privilege request "sn" on this record , it will reply 'Smith' if mister_no_privilege request "sn" on this record , it will reply 'xxx'
Can we do something like this ?
Yes you can, but AFAICS such is only possible via a customized OpenLDAP overlay.
No, you can do this with the standard ACL engine, using a value-specific ACL. The only caveat is you must also store the value "sn: xxx", and assign the appropriate value ACL to it so that mister_no_privilege can see it.
Am 20.07.2020 um 19:57 schrieb Howard Chu:
Peter Gietz wrote:
Am 20.07.20 um 16:15 schrieb Olivier -:
Thanks but that not what I wish to do. In fact, I would like to have different behaviors depending on who is querying OR what is inside the data
Example :
The record is : dn: cn=Smith,ou=public,c=com confidentiality: 1 sn: Smith
if mister_privilege request "sn" on this record , it will reply 'Smith' if mister_no_privilege request "sn" on this record , it will reply 'xxx'
Can we do something like this ?
Yes you can, but AFAICS such is only possible via a customized OpenLDAP overlay.
No, you can do this with the standard ACL engine, using a value-specific ACL. The only caveat is you must also store the value "sn: xxx", and assign the appropriate value ACL to it so that mister_no_privilege can see it.
Good point. The question is, whether such overhead (every confidential attribute needs another value "xxx" in every entry) is worth while.
Cheers,
Peter
--On Monday, June 22, 2020 9:15 AM +0000 Olivier - piwako@outlook.fr wrote:
I'm not sur Openldap can offer this kind of functionnality. Thanks for your help !
You can use access rules to make it so it returns nothing if confidentiality=1, but not XXXX.
I did this when at Stanford, some examples of how to achieve this found here: https://uit.stanford.edu/service/directory/aclexamples
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Howard Chu -
Marc Roos -
Olivier - -
Peter Gietz -
Quanah Gibson-Mount