[Date Prev][Date Next]
Re: Readable but not searchable?
Daniel Henninger writes:
> So, I have a container, ou=private,ou=printers,dc=ncsu,dc=edu
> Ideally, what I would like to happen is for it to be impossible to do
> something like:
> -b ou=private,ou=printers,dc=ncsu,dc=edu '(printer-name=*)'
> instead, one would have to know the exact printer-name to look it up.
> visa versa, there is a ou=public,ou=printers,dc=ncsu,dc=edu that is
> perfectly fine to query with an * to get the list of all available public
Check the slapd.access manpage: access of the form 'read' includes
'lesser' access levels like search, but the form '=r' does not.
So - untested, but I think this should do it:
access to dn.subtree=ou=private,ou=printers,dc=ncsu,dc=edu by * =r
(before other access statements whose 'to <what>' clause would
also match that subtree.)
An alternative would be to put the private subtree in a separate
database which has a directive like
sizelimit size.hard=1 size.unchecked=1
and no indexes (maybe except an objectClass index; I seem to remember
slapd misbehaves without that one).