[Date Prev][Date Next] [Chronological] [Thread] [Top]

filter in ACL and Netscape

To: openldap-software@OpenLDAP.org
Subject: filter in ACL and Netscape
From: Charlie Reitsma <reitsmac@denison.edu>
Date: Thu, 28 Mar 2002 15:58:26 -0500

I've been playing with the Netscape preferences setting to control
directory lookups in the Netscape Address book. By fiddling with the
filters I have been able to eliminate some addresses that don't need to
appear:
user_pref("ldap_2.autoComplete.useDirectory", true);
user_pref("ldap_2.servers.Denison.attributes.auth", "username:uid");
user_pref("ldap_2.servers.Denison.auth.enabled", false);
user_pref("ldap_2.servers.Denison.autoComplete.enabled", true);
user_pref("ldap_2.servers.Denison.autoComplete.filter","(&(o=*)(cn=*%s*))");
user_pref("ldap_2.servers.Denison.csid", "UTF-8");
user_pref("ldap_2.servers.Denison.description", "Denison LDAP");
user_pref("ldap_2.servers.Denison.filename", "DenisonLDAP.na2");
user_pref("ldap_2.servers.Denison.filter1.string","(&(o=*)(cn=*%s*))");
user_pref("ldap_2.servers.Denison.position", 4);
user_pref("ldap_2.servers.Denison.replication.never", true);
user_pref("ldap_2.servers.Denison.searchBase","ou=people,dc=denison,dc=edu");
user_pref("ldap_2.servers.Denison.serverName","ldap.denison.edu");
user_pref("ldap_2.servers.DenisonLDAP.vlvDisabled", true);

The filters above require that an entry have something in the o attribute.
This eliminates a bunch of "non-person" entries.

Since this succeeded my next thought was to move this filter into the
slapd.conf access control list. That way the server enforces the filter
rather than the application. I used:
access to attr=userPassword
 by self write
 by anonymous auth
 by dn="cn=Manager,dc=denison,dc=edu" write
 by * none
access to filter=(o=*)
 by self read
 by dn="cn=Manager,dc=denison,dc=edu" write
 by domain=.*\.denison\.edu read
 by * read
access to *
 by self read
 by dn="cn=Manager,dc=denison,dc=edu" write
 by domain=.*\.denison\.edu read
 by users read
 
I tested by removing the filters from Netscape and found I was getting the
same service as before. At some point I will add a particular attribute which
indicates which entries are part of the public directory and filter on that
instead. I am new to this so if any one wants to show a better way I'm
listening. I'm using openldap 2.0.23 on Solaris 8.

Charlie

Prev by Date: [no subject]
Next by Date: ACL FAQ and ACI
Index(es):
- Chronological
- Thread