[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: hide namingcontexts

To: openldap@downhomelinux.com, openldap-technical@openldap.org
Subject: Re: hide namingcontexts
From: Michael Ströder <michael@stroeder.com>
Date: Fri, 22 Nov 2013 20:44:29 +0100
In-reply-to: <20131122190112.GA13948@downhomelinux.com>
References: <20131122190112.GA13948@downhomelinux.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0 SeaMonkey/2.22

openldap@downhomelinux.com wrote:
> I am trying to lock down an openldap server (2.4.23). Using the FAQ I
> have limited the user entries with:
> 
> {1)to attrs=userPassword by self =xw by anonymous auth
> {2)to * by users read
> 
> However, I cannot figure out how to match the namingContexts attribute
> with olcaccess to also prevent unauthenticated users from listing the
> directories served. I have tried many variations of the following based
> on search results:
> 
> to attrs=namingContexts by * none
> 
> to dn.exact="" attrs=namingContexts by * none
> 
> to dn.base="" attrs=namingContexts val/distinguishedNameMatch="dc=mydomain,dc=com" by * none

Since you're using back-config make sure that you add the ACLs to entry

olcDatabase={-1}frontend,cn=config

Personally I think it does not make sense to lock down attribute
'namingContexts' including bound users though.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- hide namingcontexts
  - From: openldap@downhomelinux.com

Prev by Date: Re: hide namingcontexts
Next by Date: Re: hide namingcontexts
Index(es):
- Chronological
- Thread