On Fri, 22 Nov 2013, openldap@downhomelinux.com wrote:

to dn.exact="" attrs=namingContexts by * none

I'd expect this to work. Are you sure that you're adding this as a global directive, not inside of a particular backend/database?

openldap@downhomelinux.com wrote:

I am trying to lock down an openldap server (2.4.23). Using the FAQ I have limited the user entries with:

{1)to attrs=userPassword by self =xw by anonymous auth {2)to * by users read

However, I cannot figure out how to match the namingContexts attribute with olcaccess to also prevent unauthenticated users from listing the directories served. I have tried many variations of the following based on search results:

to attrs=namingContexts by * none

to dn.exact="" attrs=namingContexts by * none

to dn.base="" attrs=namingContexts val/distinguishedNameMatch="dc=mydomain,dc=com" by * none

Since you're using back-config make sure that you add the ACLs to entry

olcDatabase={-1}frontend,cn=config

Personally I think it does not make sense to lock down attribute 'namingContexts' including bound users though.

Ciao, Michael.