On Fri, 2003-09-12 at 10:35, suomi hasler wrote: > Hi Brian Hi Suomi, > if you prohibit base read access to the directory (in your last ACL "by > * none"), you prohibit access to the schema and basic DIT information > like e.g. namingContext. Indeed. This is what I had gathered. I was hoping my query here would yield some help in determining what "minimum" amount of read access I had to allow in order to allow access to that information. I prefer to not try to lock down information as it's added to the directory, but rather open it up as required. The former is prone to security/information leaks. The latter is just broken functionality with regard to new information until it is corrected. Fail-safe as it were. It seems there is some information, protectable by ACLs that applications can read from the database that is not obvious to a directory administrator. I was hoping somebody would shed light on that aspect. So I guess the question remains (to all, not you specifically), other than the root DSE, what else in terms of entries other than the entries I add to the database, do I need to give a user read access to so that clients such at GQ work properly? b. -- My other computer is your Microsoft Windows server. Brian J. Murrell
Attachment:
signature.asc
Description: This is a digitally signed message part