Thanks for the quick response!

We might open a RFE for that, even though we not (in this case) will gain of it, but it would be a nice feature to extend targattrfilters for read operations also.


2016-04-27 9:11 GMT+02:00 Ludwig Krispenz <>:

On 04/27/2016 01:00 AM, William Brown wrote:
On Tue, 2016-04-26 at 12:30 +0200, Simon Oscarsson wrote:

I wonder if there is an ACI statement that allows to filter the response on
attribute values. OpenLDAP has something called ACI value selector (for
example "attrs=memberof val.childern='ou=Dummy,dc=test,dc=org'" that will
only return attribute values for 'memberof' having a value being part of
the subtree 'ou=Dummy,dc=test,dc=org' and filter away other memberof
values). There is an 'targattrfiltes' statement in 389 DS, but that only
applies on 'add' or 'delete' operations (would like to have one for 'read')
Unless I am misunderstanding your question,
yes, he wants additional access control by the value of the attr like we support it with targattrfilters for add/del of values. We don't have it for search.
targattrfilters was introduced with a specific use case in mind, like allowing users to assign roles to themselve, but restrict from specific roles.
It was not generalized for all operation types.

if you need this feature you can open an RFE, but it might take some time (versions) until it would be available.

you can use targetattr = "attr" to control read access to an attribute. IE:

(targetAttr = "uid" || "gid")(version3.0; acl "Read access to uid and gid"; allow (read, search) userdn="ldap:///anyone")

389-users mailing list

Red Hat GmbH,, Registered seat: Grasbrunn, 
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill

389-users mailing list