Limit access to LDAP shared address book?

[cshooshan]

Thank you for the feedback!
I still have a couple of questions ….
> Simple method is to disallow anonymous binding in slapd.conf.
I tried this by placing “disallow bind_anon” near the end of slapd.conf. It had a strange (to me anyway) effect. It prevented users from logging in to mail through the Squirrelmail web interface. I am guessing that Squirrelmail has to bind to lookup credentials and the bind_anon somehow prevents this. Do you have any suggestions?
> For extra credit read our article on Directory Access Controls and then use those.
I started in on this but I’m not 100% sure how to substitute my site for the sample. I think I figured out that the article involves examples of access by users from one server to another. There seems to be these three distinct entities:
dc=cf1,dc=afp548,dc=com
dc=odmaster,dc=afp548,dc=com
dc=cf1,dc=jodapro,dc=com
If I have one basic XServe that is both my mail server and ODMaster, and let us say that the server is mail.mydomain.org, do I replace each of the above search strings with the one from mine:
“dc=mail,dc=mydomain,dc=org” or is it just “dc=mydomain,dc=org”?
Notes:
In Microsoft Mail or Outlook on my local LAN, I use the search base: cn=users,dc=mydomain,dc=org (there is no dc=mail).
If I authenticate (not currently required), I use the dn, as follows: uid=diradmin,cn=users,dc=mydomain,dc=org
[I can substitute any Workgroup Manager administrator and it authenticates, but not “admin” since on my XServe, root is uid 0, admin is uid 501 (netinfo only) and diradmin is uid 1000.]
Thanks again,
Charlie