[Date Prev][Date Next] [Chronological] [Thread] [Top]

Limiting attributes shown in ldap://sever/searchstuff



I have been trying to limit this in the slapd.conf file but am getting
nowhere.
I found documentation on how to change what Netscape shows, but that
requires modifying the browsers config.
I would hope I could do this from the server itself. This is a simple LDAP
listing (read address book only), my ldif file contains all the info on
users but nothing else. I used the migrate_all_online.pl scripts found on
Red Hat systems, I modified it so it only created the ldif file, so I could
read it and figure out just what info LDAP was going to give me. I removed
all system, hosts, services etc. from the file then imported it. Searching
from the command line and from Address Books works great, but I don't want
users to be able to see Object Classes, krbname, loginshell, uidnumber,
gidnumber and homedirectory. I have tried this in the slapd.conf file:


#defaultaccess none

access to attrs=uid,givenname,sn,telephonenumber,roomnumber,email
        by * read

access to
attrs=objectClass,krbname,loginShell,uidNumber,gidNumber,homeDirectory
        by * none


But this seems to have no affect; if I uncomment the defaultaccess line I
get no access. Our firewall prevents outside sources from viewing it so I
want anyone to be able to read.

Unrelated question: Can I run a second instance of LDAP that could be for
system level stuff? Just on a different port number, and still get things
like pam_auth to work? And what the best book on LDAP for the clueless?

System specs:
Solaris 2.7 Sparq
OpenLDAP 1.2.11


Thanks all.

************************
John McCoy, Jr
Central Systems Administrator
Mills College, Oakland, CA
510-430-3321
jmccoy@mills.edu
************************