On Thu, 2018-02-22 at 12:17 +0100, Angel Bosch wrote:
> hi,
> 
> I need one specific attribute to be hidden for anyone but one group.
> 
> I've tested this one:
> 
>      (targetattr = "myCustomAttr") (version 3.0; acl "deny all but
> admins"; deny (all) groupdn !=
> "ldap:///cn=admins,ou=Groups,dc=company,dc=global";;)
> 
> and seems to work. 
> 
> Is this the right way to do it?

A better way to write this is:

(targetattr = "mycustomattr")(version 3.0; acl "allow admins
mycustomattr"; allow (all) groupdn =
"ldap:///cn=admins,ou=Groups,dc=company,dc=global";;)

That's a better rule.

> Can I face any side effects?

So if you apply the "allow" rather than the deny rule here, and a "non-
admin" user can read mycustomattr, that indicates a bug in your acl's.

I have some posts about this which might help:

https://fy.blackhats.net.au/blog/html/2015/07/04/Unit_testing_LDAP_acis
_for_fun_and_profit.html?highlight=aci

This is a very common "anti-pattern" I see, and it creates huge
security issues. If you find with the "allow" version that this is
happening, check your other rules! 

Hope that helps, 

> 
> regards,
> 
> abosch
> 
> 
> -- 
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o
> rg
-- 
Thanks,

William Brown
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

Reply via email to