In addition to limiting security risks, you can use ACIs to limit the XML for Portal transmitted back to the Outlook Connector client.
The following ACI rule prevents delivery of the user password and also limits attributes expected by the Outlook LDAP Browser. You set the access rights in the Directory Server console:
aci:(targetattr = "initials || cn || mail || display-name || displayName || sn || co || o || givenName || objectClass || uid || mailnickname || title || company || physicalDeliveryOfficeName || telephoneNumber") (targetfilter = (objectClass=icscalendaruser)) (version 3.0;acl "Allow Calendar users to read and search other users - product=ics,class=admin,num=3,version=1";allow (read,search)(userdn = "ldap:///uid=*, ou=People,o=red.siroe.com, o=ugdata");) |
The targetattr indicates the list of attributes that can be returned. All other attributes are blocked. The targetfilter requires that the returned entries must have objectclass=icscalendaruser assigned.
The following ldapsearch command confirms two things: first, the userpassword attribute is no longer visible to end users; second, the returned LDAP attributes are limited to only the attributes expected by Outlook’s LDAP Browser.
# ldapsearch -b ou=people,o=red.siroe.com,o=ugdata -D "uid=jhawk,ou=people,o=red.siroe.com,o=ugdata" -w demo "cn=naomi*" | more uid=nhawkins,ou=People,o=red.siroe.com,o=ugdata uid=nhawkins givenName=Naomi mail=naomi.hawkins@red.siroe.com sn=Hawkins cn=Naomi Hawkins objectClass=userpresenceprofile objectClass=sunucpreferences objectClass=iplanet-am-user-service objectClass=iplanet-am-managed-person objectClass=top objectClass=icscalendaruser objectClass=organizationalperson objectClass=inetadmin objectClass=person objectClass=inetuser objectClass=sunssoadapterperson objectClass=inetlocalmailrecipient objectClass=iplanetpreferences objectClass=ipuser objectClass=inetorgperson objectClass=sunportaldesktopperson objectClass=inetsubscriber objectClass=inetmailuser |