On Mon, Sep 13, 2021 at 01:33:50PM +0300, Дилян Палаузов wrote:
Hello,
How can I create an entry (in terms of ldif/ldapadd/ldapmodify), which is not returned on searches (apart from tweaking the olcAccess rules?
[...]
Rationale: I want to create a directory, containing contacts under:
cn=juridical persons,dc=me cn=natural persons,dc=me
The LDAP clients shall query base dc=me with scope SUB. The LDAP clients shall see all subentries of Juridical Persons and all subentries of Natural Persons, but not the cn=juridical persons,dc=me cn=natural persons,dc=me and dc=me entries itself. As the latter entries do not represent Contacts (mail, phone, address), the entries shall not appear in address books.
Hi, if you care that the clients just can't see them or some data in there, whatever they do, you need to set ACLs. Otherwise just have the clients send a suitable filter, based on your description, you should be able to match on objectclass at the very least. Worst case, matching on entryDN (like the example given in slapcat's manpage) or using the ":dn:" flag might help if you wanted to filter out certain subtrees.
Regards, Ondrej