[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Readable but not searchable?

Daniel Henninger writes:
> So, I have a container, ou=private,ou=printers,dc=ncsu,dc=edu
> Ideally, what I would like to happen is for it to be impossible to do
> something like:
> -b ou=private,ou=printers,dc=ncsu,dc=edu '(printer-name=*)'
> instead, one would have to know the exact printer-name to look it up.
> visa versa, there is a ou=public,ou=printers,dc=ncsu,dc=edu that is
> perfectly fine to query with an * to get the list of all available public
> printers.

Check the slapd.access manpage: access of the form 'read' includes
'lesser' access levels like search, but the form '=r' does not.

So - untested, but I think this should do it:

  access to dn.subtree=ou=private,ou=printers,dc=ncsu,dc=edu by * =r

(before other access statements whose 'to <what>' clause would
also match that subtree.)

An alternative would be to put the private subtree in a separate
database which has a directive like

  sizelimit size.hard=1 size.unchecked=1

and no indexes (maybe except an objectClass index; I seem to remember
slapd misbehaves without that one).