Re: Readable but not searchable?

[Daniel Henninger <daniel@unity.ncsu.edu>]

Hrm.  I had tried that, but could never get it to work.  If I only allowed
=r access, then I was never able to find anything.  Maybe I was searching
incorrectly?  If you had your access rule set up like this, and went to
use ldapsearch, what would you enter?  I tried something like:
ldapsearch -b 'ou=private,ou=printers,dc=ncsu,dc=edu' '(printer-name=foo)'

but had no luck

Daniel

> Check the slapd.access manpage: access of the form 'read' includes
> 'lesser' access levels like search, but the form '=r' does not.
>
> So - untested, but I think this should do it:
>
>   access to dn.subtree=ou=private,ou=printers,dc=ncsu,dc=edu by * =r
>
> (before other access statements whose 'to <what>' clause would
> also match that subtree.)
>
> An alternative would be to put the private subtree in a separate
> database which has a directive like
>
>   sizelimit size.hard=1 size.unchecked=1
>
> and no indexes (maybe except an objectClass index; I seem to remember
> slapd misbehaves without that one).
>
> --
> Hallvard
>

-- 
/\\\----------------------------------------------------------------------///\
\ \\\      Daniel Henninger           http://www.vorpalcloud.org/        /// /
 \_\\\      North Carolina State University - Systems Programmer        ///_/
    \\\                   Information Technology <IT>                  ///
     """--------------------------------------------------------------"""