[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: hiding a naming context

-----Original Message-----
From: Ralf Mattes [mailto:rm@mh-freiburg.de] 
Sent: Tuesday, May 19, 2015 8:46 AM
To: Craig White
Cc: openldap-technical@openldap.org
Subject: RE: hiding a naming context

 
Am Dienstag, 19. Mai 2015 17:22 CEST, Craig White <CWhite@skytouchtechnology.com> schrieb: 
 
> -----Original Message-----
> From: Michael Ströder [mailto:michael@stroeder.com]
> Sent: Tuesday, May 19, 2015 1:04 AM
> To: Craig White; openldap-technical@openldap.org
> Subject: Re: hiding a naming context
> 
> Craig White wrote:
> > Oh - and I put in just a single value in the ldif...
> > 
> > dn: olcDatabase={-1}frontend,cn=config
> > changetype: modify
> > add: olcAccess
> > olcAccess: {0}to dn.exact=""
> >     attrs=namingContext
> 
> s/namingContext/namingContexts/
> 
> ----
> I see said the blind man - worked - thanks.
> 
> Now to determine if that actually hurts anything that I am doing otherwise.

Hmm - maybe I miss the obvious, but wasn't your initial goal "So our programmers want me to filter out ‘namingContexts: cn=accesslog’ for them (please don’t ask)"?
Won't the above ACL block _all_ namingContexts attributes? 
----
-----Original Message-----
From: Ralf Mattes [mailto:rm@mh-freiburg.de] 
Sent: Tuesday, May 19, 2015 8:46 AM
To: Craig White
Cc: openldap-technical@openldap.org
Subject: RE: hiding a naming context

 
Am Dienstag, 19. Mai 2015 17:22 CEST, Craig White <CWhite@skytouchtechnology.com> schrieb: 
 
> -----Original Message-----
> From: Michael Ströder [mailto:michael@stroeder.com]
> Sent: Tuesday, May 19, 2015 1:04 AM
> To: Craig White; openldap-technical@openldap.org
> Subject: Re: hiding a naming context
> 
> Craig White wrote:
> > Oh - and I put in just a single value in the ldif...
> > 
> > dn: olcDatabase={-1}frontend,cn=config
> > changetype: modify
> > add: olcAccess
> > olcAccess: {0}to dn.exact=""
> >     attrs=namingContext
> 
> s/namingContext/namingContexts/
> 
> ----
> I see said the blind man - worked - thanks.
> 
> Now to determine if that actually hurts anything that I am doing otherwise.

Hmm - maybe I miss the obvious, but wasn't your initial goal "So our programmers want me to filter out ‘namingContexts: cn=accesslog’ for them (please don’t ask)"?
Won't the above ACL block _all_ namingContexts attributes? 

 Cheers, Ralf Mattes
----
I think Michael clipped an extra line

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to dn.exact=""
    attrs=namingContexts
    val/distinguishedNameMatch="cn=accesslog"
    by * none

but to your point - that indeed seems to be what happened - nothing returned in naming contexts at all...

# ldapsearch -x -H ldapi:/// -s base -b '' namingContext "*" + -D cn=admin,dc=domain,dc=com -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContext * +
#

# search result
search: 2
result: 0 Success

# numResponses: 1

We have had issues with outlook365 for a week now but I am leaving this message mostly unchanged. Is it possible to have an ACL that blocks ONLY one naming context and not everything?