Am 20.07.2020 um 19:57 schrieb Howard Chu: > Peter Gietz wrote: >> Am 20.07.20 um 16:15 schrieb Olivier -: >>> Thanks but that not what I wish to do. >>> In fact, I would like to have different behaviors depending on who is >>> querying OR what is inside the data >>> >>> Example : >>> >>> The record is : >>> dn: cn=Smith,ou=public,c=com >>> confidentiality: 1 >>> sn: Smith >>> >>> if mister_privilege request "sn" on this record , it will reply 'Smith' >>> if mister_no_privilege request "sn" on this record , it will reply 'xxx' >>> >>> Can we do something like this ? >> Yes you can, but AFAICS such is only possible via a customized OpenLDAP >> overlay. > No, you can do this with the standard ACL engine, using a value-specific ACL. > The only caveat is you must also store the value "sn: xxx", and assign the > appropriate value ACL to it so that mister_no_privilege can see it.
Good point. The question is, whether such overhead (every confidential attribute needs another value "xxx" in every entry) is worth while. Cheers, Peter > -- Peter Gietz, CEO DAASI International GmbH Europaplatz 3 D-72072 Tübingen Germany phone: +49 7071 407109-0 fax: +49 7071 407109-9 email: [email protected] web: www.daasi.de Sitz der Gesellschaft: Tübingen Registergericht: Amtsgericht Stuttgart, HRB 382175 Geschäftsleitung: Peter Gietz
