openldap@downhomelinux.com wrote:
I am trying to lock down an openldap server (2.4.23). Using the FAQ I have limited the user entries with:
{1)to attrs=userPassword by self =xw by anonymous auth {2)to * by users read
However, I cannot figure out how to match the namingContexts attribute with olcaccess to also prevent unauthenticated users from listing the directories served. I have tried many variations of the following based on search results:
to attrs=namingContexts by * none
to dn.exact="" attrs=namingContexts by * none
to dn.base="" attrs=namingContexts val/distinguishedNameMatch="dc=mydomain,dc=com" by * none
Since you're using back-config make sure that you add the ACLs to entry
olcDatabase={-1}frontend,cn=config
Personally I think it does not make sense to lock down attribute 'namingContexts' including bound users though.
Ciao, Michael.