Re: Readable but not searchable?

[John Borwick <borwicjh@wfu.edu>]

Daniel Henninger wrote:
[snip]
> So, I have a container, ou=private,ou=printers,dc=ncsu,dc=edu
> Ideally, what I would like to happen is for it to be impossible to do
> something like:
> -b ou=private,ou=printers,dc=ncsu,dc=edu '(printer-name=*)'
>
> instead, one would have to know the exact printer-name to look it up.

As an aside: if you are designing your own schema, I would recommend 
using "cn" for the printer name rather than creating a new attribute.

> visa versa, there is a ou=public,ou=printers,dc=ncsu,dc=edu that is
> perfectly fine to query with an * to get the list of all available public
> printers.  Basically, private printers are "hidden" via "security through,
> if you don't know it's there, you can't print to it".  ;)  Is this
> possible?  I have not been able to find a way to restrict searches, but
> allow direct queries.  Maybe it just isn't possible?  Thanks!

A really bad way to solve this problem would be to create a separate 
back-end, and set "limits anonymous size=1".  Only one result could be 
returned, no matter what.

A better way might be to create an index of who's supposed to see what 
printer, and set up a regex access control.  Or, block all direct LDAP 
access to the private printers and provide an API or web tool for queries.

HTH,
John
--
           John Borwick
       Systems Administrator
      Wake Forest University | web  http://www.wfu.edu/~borwicjh
      Winston-Salem, NC, USA | GPG key ID               56D60872

Attachment: signature.asc
Description: OpenPGP digital signature