This article describes how to hide a specific user attribute in OX via LDAP ACL. In this example we hide the attribute
employeeNumberso it won’t show in the OX address book. Further information regarding the OX-Connector can be found in the manual.
1. Open the shell of the OX-Connector on the DC it’s installed on
univention-app shell ox-connector
2. Display the OX Container DN
grep 'ldap/hostdn' /etc/univention/base.conf
3. Exit the OX Connector Shell
Ctrl + D
4. Create the ACL template file on Primary DC
vim /usr/local/share/66ox_employee_number.acl
with the following content:
# block access to the employeeNumber for OX-Connector
access to attrs=employeeNumber
by dn.base="cn=ox-co-73051129,cn=memberserver,cn=computers,dc=tierheim,dc=intranet" none
by * none break
Check that you put the correct DN from step 2 in here!
5. Install the ACL
. /usr/share/univention-lib/ldap.sh
ucs_registerLDAPExtension \
--packagename ox_employee_number \
--packageversion 1.0 \
--acl /usr/local/share/66ox_employee_number.acl
6. Resync the OX-Connector (on the DC it’s installed on) to apply the change to existing OX objects.
For new objects/users, this step is not necessary. Most of the time though, there are existing users who need to be resynced for this change to apply.
CAUTION: A resync could overwrite data to some default and can take a very long time and block the LDAP replication in the meantime.
univention-directory-listener-ctrl resync ox-connector
7. Monitor the status of the OX-Connector
tail -f /var/log/univention/listener_modules/ox-connector.log
8. When the resync has finished, no object should have the attribute employeeNumber replicated to OX, which is what we want to hide this attribute in the address book.
Revert and deactivate the ACL
If you wish to deactivate the ACLs, run the following on the DC master:
. /usr/share/univention-lib/ldap.sh ucs_unregisterLDAPExtension --acl 66ox_employee_number ucr commit /etc/ldap/slapd.conf service slapd restart