I've been messing around with 10.4.1 Server on a test box while keeping my 10.3.9 Server up and running peacefully. Among the battles I'm having with authentication and Samba, one thing I'd really like to do with 10.4 Server is require authentication to even read the LDAP database.
My University's Active Directory setup requires it, and Apple's does not by default, nor do I see anything in Server Admin that would deny anonymous read. Note that this is NOT the same as requiring clients to bind to the directory as in the Binding Sub-tab of the Policy Tab in the Open Directory service in Server Admin.app.
So, has anyone successfully edited /etc/openldap/slapd.conf with a policy in place to require a username/password match to read the database? This would stop simple anonymous binds and require clients to select the "Use Authentication when connecting" option in Directory Access.app to gain access.
Firewalls are great but that's not what I'm going after on this one.