[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access control

By the time we roll in our OS X, mail, and internal data, individual
directory entries are getting quite large.  I would like to restrict
anonymous queries to just retrieving a small subset of attributes (cn,
displayName, mail, ou, etc.).

Is there some method that would allow me to specify which attributes
an anonymous user can see, and default to denying the rest?

This is what I tried:


# Let anonymous users read just the basic attributes
access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu"
        by self write
        by anonymous read
        by dn="cn=postfix,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
        by dn="cn=barracuda,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
        by * none

#Let only accounts under bindAccts read the rest
access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu"
        by dn.children="dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
        by anonymous search
        by * none


With that approach, anonymous users see nothing.  If I comment out the
second ACL, the query falls through to the list ACL in my config,
which is:

access to *
       by <specific accounts> write
       by * read

Thanks for any insight!