Re: LDAP attribute masking
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Tue, 30 Jan 2007 22:32:25 -0500
Your realistic options are:
1. Use two attributes, one attribute has full id, the other has partial and then lock down who can see full ID. As JoeK mentioned, it generally isn't a good idea to lock down attribs in AD this way.
2. Keep the ID info in another store, SQL or ADAM, something like that that only admins have access to.
3. Look at Active Roles Server which has the idea of virtual attributes and extensive business rules and control. It is also costly.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Dxdunbar@xxxxxxxxx wrote:
Hello, I'm in the process of building an application where help desk personnel will be able to query AD for a users employee id in order verify account modification request. I do not need for them to be able to see the entire id only the last five digits. I know i can do it within the app but the problem i have is if they were to use vbscript or Dsquery on there local machines to query ldap then they would be able to see the entire id. I would like to know if there is a way to mask an attribute in AD so that when non administrators query AD it only returns n number of digits. Any insight will be appreciated.
- References:
- LDAP attribute masking
- From: Dxdunbar
- LDAP attribute masking
- Prev by Date: Re: export SID number to a text/csv file
- Next by Date: Re: Change local Admin Pwd - [WP] * ResetAllPasswords.vbs *
- Previous by thread: Re: LDAP attribute masking
- Next by thread: External Time Config
- Index(es):
Relevant Pages
|
