[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Readable but not searchable?

Daniel Henninger wrote:
So, I have a container, ou=private,ou=printers,dc=ncsu,dc=edu
Ideally, what I would like to happen is for it to be impossible to do
something like:
-b ou=private,ou=printers,dc=ncsu,dc=edu '(printer-name=*)'

instead, one would have to know the exact printer-name to look it up.

As an aside: if you are designing your own schema, I would recommend using "cn" for the printer name rather than creating a new attribute.

visa versa, there is a ou=public,ou=printers,dc=ncsu,dc=edu that is
perfectly fine to query with an * to get the list of all available public
printers.  Basically, private printers are "hidden" via "security through,
if you don't know it's there, you can't print to it".  ;)  Is this
possible?  I have not been able to find a way to restrict searches, but
allow direct queries.  Maybe it just isn't possible?  Thanks!

A really bad way to solve this problem would be to create a separate back-end, and set "limits anonymous size=1". Only one result could be returned, no matter what.

A better way might be to create an index of who's supposed to see what printer, and set up a regex access control. Or, block all direct LDAP access to the private printers and provide an API or web tool for queries.

           John Borwick
       Systems Administrator
      Wake Forest University | web  http://www.wfu.edu/~borwicjh
      Winston-Salem, NC, USA | GPG key ID               56D60872

Attachment: signature.asc
Description: OpenPGP digital signature