[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP access question

>>Hello.  I can restrict what LDAP searches return by using statements 
>>such as the following in my "slapd.conf" file.  For example, to not 
>>return the attribute values for "employeeNumber"...
>>access to attr=employeeNumber
>>        by dn="cn=boss,dc=here,dc=com"  write
>>        by users read
>>        by * none
>>However, I have been unsuccessful in figuring out a way to not return 
>>the "objectclass", or objectclass values.  Can anyone help me out 
>>with this?  I do not want the "objectclass"es returned to any 
>>anonymous searches.

Hide the objectclass and you'll break a myriad of applications.

>Many have asked this question, none have received answers.
>I'm also curious and would like this possibility, but it doesn't seem
>possible. There are also other things I'd like to hide, such as a
>posixAccount user's uidNumber and gidNumber and homeDirectory. It's got
>nothing to do with anyone but the admin. 

Nope, they have to do with EVERYTHING.  They are the key in NSS, just like the
SID in NT domains.  The user name is a mere convenience for use by wetware.

>But if I do that, they don't
>know who they are when they log in.

Of course not,  there is no such thing as "adam",  that is just a nice alias for
user 547.