#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2011
    Posts
    2
    Rep Power
    0

    Allow certain attributes to be listed based on users' group membership


    Hi everybody,

    Let's assume that I administer the dc=example,dc=com DIT, and that I store my users in ou=People,dc=example,dc=com and my groups in ou=Groups,dc=example,com.

    I would like my users to be able to choose whether certain of their attributes will be published to authenticated users or not (like their email, telephone number, etc). I don't know how to accomplish this with acls, and the only 'solution' I figured was to create a group (eg. cn=Publish Email,ou=Group,dc=example,dc=com) and place anybody wishing to publish their mail attribute as a member for this group.

    My problem is that I cannot figure out what my acl should look like, since I want <what> to refer to an attribute that will be shown to everybody *only* if the owner of this attribute is member of the specific group. So, it doesn't have to do with the "by <who>" clause (I think...), since a simple "by users read" will suffice once I figure out the <what> part (or am I wrong?).

    If anybody knows a way to achieve this, it would help a lot!

    Thank you all for your time and effort.
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2011
    Posts
    2
    Rep Power
    0
    I think I found a way to achieve almost exactly what I wish for. The acl reads like this:

    access to dn.subtree="ou=People,dc=example,dc=com" attrs=mail
    by anonymous none
    by self write
    by set="this & [cn=Publish Mail,ou=Groups,dc=example,dc=com]/uniqueMember " read
    by * none

    with this acl I manage to filter out anonymous users, allow self to change/add their mail and show everybody else the entry's mail, if the dn belongs to the specific group. Since anonymous is out, the rest of the users must be authenticated, and hence I 'converge' to my wished 'by users read'. It is not mathematically *exactly* what I wished for (I think...since I am not sure what other sort of users would exist, but the truth is that other dn's would be able -somehow- to access this tree...), but it is very, very, very close to it.

    Any comments would be appreciated,

    thank you all for your time.

IMN logo majestic logo threadwatch logo seochat tools logo