March 16th, 2011, 08:11 AM
Allow certain attributes to be listed based on users' group membership
Let's assume that I administer the dc=example,dc=com DIT, and that I store my users in ou=People,dc=example,dc=com and my groups in ou=Groups,dc=example,com.
I would like my users to be able to choose whether certain of their attributes will be published to authenticated users or not (like their email, telephone number, etc). I don't know how to accomplish this with acls, and the only 'solution' I figured was to create a group (eg. cn=Publish Email,ou=Group,dc=example,dc=com) and place anybody wishing to publish their mail attribute as a member for this group.
My problem is that I cannot figure out what my acl should look like, since I want <what> to refer to an attribute that will be shown to everybody *only* if the owner of this attribute is member of the specific group. So, it doesn't have to do with the "by <who>" clause (I think...), since a simple "by users read" will suffice once I figure out the <what> part (or am I wrong?).
If anybody knows a way to achieve this, it would help a lot!
Thank you all for your time and effort.
March 16th, 2011, 01:45 PM
I think I found a way to achieve almost exactly what I wish for. The acl reads like this:
access to dn.subtree="ou=People,dc=example,dc=com" attrs=mail
by anonymous none
by self write
by set="this & [cn=Publish Mail,ou=Groups,dc=example,dc=com]/uniqueMember " read
by * none
with this acl I manage to filter out anonymous users, allow self to change/add their mail and show everybody else the entry's mail, if the dn belongs to the specific group. Since anonymous is out, the rest of the users must be authenticated, and hence I 'converge' to my wished 'by users read'. It is not mathematically *exactly* what I wished for (I think...since I am not sure what other sort of users would exist, but the truth is that other dn's would be able -somehow- to access this tree...), but it is very, very, very close to it.
Any comments would be appreciated,
thank you all for your time.