Hello,
I am trying to publish information only when the exact DN is used, as a measure against iteration of accounts.
I configured:
olcAccess: to dn.regex="^uid=[^,]+,(ou=[^,]+,)*dc=openfortress,dc=nl$" by (admin) write by * =rcdx
Note how this is like read privilege =rscdx minus the =s search filter privilege. I am told that I lack the permission, and suspect the deafult search filter (objectClass=*) requires the =s privilege.
Is what I am trying to do posisble with OpenLDAP?
Thanks, -RIck
Hi,
I am trying to publish information only when the exact DN is used, as a measure against iteration of accounts.
I discovered that setting up search indexes for only "eq" on attribute "uid" does just that -- but it feels a bit like a coincidence, or something that future OpenLDAP revisions could alter.
I get reports "bdb_substring_candidates: not indexed" errors. Is this a feature, or a (coincidental/temporary) bug?
Thanks, -Rick
Hello,
Everything is now resolved, I am documenting it for future reference by others:
I am trying to publish information only when the exact DN is used, as a measure against iteration of accounts.
I discovered that setting up search indexes for only "eq" on attribute "uid" does just that -- but it feels a bit like a coincidence, or something that future OpenLDAP revisions could alter.
A subtree would still display the "uid" objects that I prefer to conceal. This could be resolved by adding a "filter=(!(objectClass=uidObject))" or similar expression.
I get reports "bdb_substring_candidates: not indexed" errors. Is this a feature, or a (coincidental/temporary) bug?
The filter does not rely on this anymore. Happy :)
-Rick
openldap-technical@openldap.org
-
Rick van Rein (OpenFortress)