-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ben Beuchler wrote: > By the time we roll in our OS X, mail, and internal data, individual > directory entries are getting quite large. I would like to restrict > anonymous queries to just retrieving a small subset of attributes (cn, > displayName, mail, ou, etc.). > > Is there some method that would allow me to specify which attributes > an anonymous user can see, and default to denying the rest? > > This is what I tried: > > ------------------- > > # Let anonymous users read just the basic attributes > access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu" > attrs=displayName,cn,mail > by self write > by anonymous read > by dn="cn=postfix,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read > by dn="cn=barracuda,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read > by * none
Shouldn't the last line be (assuming these are the attributes you want to be visible to anonymous users): by * read ? > #Let only accounts under bindAccts read the rest > access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu" > by dn.children="dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read > by anonymous search > by * none > Hmm, all bind accounts can read all attributes of any other users? Like userPassword? Maybe not such a good idea. > -------------------- > > With that approach, anonymous users see nothing. Yep ... because you haven't got an access rule for "anonymous" on the first ACL, but you restrict everyone (including anonymous) to none. > If I comment out the > second ACL, the query falls through to the list ACL in my config, > which is: > > access to * > by <specific accounts> write > by * read Your last ACL should probably not be "by * read" for what you want to accomplish ... Also, "by users" and "by self" may be useful to you ... so please read slapd.access(5). Regards, Buchan - -- Buchan Milne Senior Support Technician Obsidian Systems http://www.obsidian.co.za B.Eng RHCE (803004789010797),LPIC-1 (LPI000074592) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCuVnBrJK6UGDSBKcRAkl5AJ4+ooYCg0G9UgcjuFPJufKC2ZpX7QCaAnCT HFv2lJoZWvQnb23Zt6sqjGE= =xnPZ -----END PGP SIGNATURE-----
