On Mon, Mar 08, 2010 at 11:04:42AM -0500, Gaiseric Vandal wrote: > But in terms of an address book, if someone has an LDAP address book > client (e.g. thunderbird) you can't prevent them from trying to > recursively query "ou=people,....) vs "ou=students." You can advise > end users whether they should set up two LDAP address books (students > vs employees) rather than one top level "people" one. From the end > user pespective, a single LDAP directory will probably be simpler. > > > So you would need to set ACL's to restrict access to "ou=other" OR to > restrict access to "ou=people" and then grant it back to "ou=employees" > and "ou=students." You also want to make sure that certain fields > (passwd) are restricted so that only "administrator" accounts can access > them. You can also configure whether anonymous users can access certain > information or not (e.g. names and phone numbers.) > > I use Sun's directory server as an LDAP backend. I suspect most samba > users are using OpenLDAP. I also suspect that LDAP attributes may > not be restricted by default as much as they should be.
I've never gotten around to actually setting up LDAP anywhere, though I've looked at it several times. Each time I do, I come away from it feeling that LDAP suffers badly from "The wonderful thing about standards is that there's so many to choose from". It seems it's so open-ended, and there are so many possible ways to set up a directory, that it becomes difficult to find any two LDAP-aware applications that actually use (and expect to see) the same LDAP schema. How does one overcome this? -- Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355 [email protected] [email protected] [email protected] Renaissance Man, Unix ronin, Perl hacker, Free Stater It's not the years, it's the mileage. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
