Hi all,

I'm trying to figure out how LDAP determines what data to return when
performing an LDAP query.

Here’s the situation:

When performing a LDAP query on our primary tree, I get way more
information than I’d like to via an anonymous connection.
Here’s an example:

Enumerating attributes for DN : cn=user1,ou=Staff,ou=Site,o=Test
zenzfdVersion = <?xml version="1.0"
encoding="UTF-8"?><AgentData><Version>4.0.1.5</Version><VerWriteTime>1101852569</VerWriteTime></AgentData>
nGWVisibility = 2
nGWObjectID = user1
nGWPostOffice = cn=GWTEST_PO,ou=Groupwise,ou=Site,o=Test
nGWFileID = 9ju
nGWGroupWiseID =
GWTEST_DOM.GWTEST_PO.user1{106}F3C31D60-103D-0000-9529-950086005D00
DirXML-Associations =
cn=vault,cn=eDirSYNC,ou=IDM,ou=SITE,o=TEST#1#{89E9 AF2E-2372-d511-ADD3-00A0C97871D3}
mail = user.1@sduhsd.net
givenName = user
fullName = User 1
Language = English
sn = 1
securityEquals = cn=Everyone,ou=Staff,ou=Site,o=TEST
securityEquals = cn=Internet,ou=Staff,ou=Site,o=TEST
passwordUniqueRequired = TRUE
passwordRequired = TRUE
passwordMinimumLength = 5
passwordExpirationTime = 20051216061500Z
passwordExpirationInterval = 7776000
passwordAllowChange = TRUE
objectClass = inetOrgPerson
objectClass = organizationalPerson
objectClass = Person
objectClass = Top
objectClass = ndsLoginProperties
eMailAddress = 7#user1@GWSITE_DOM.GWSITE_PO
loginTime = 20050503220908Z
loginMaximumSimultaneous = 4
loginGraceRemaining = 2
loginGraceLimit = 3
loginDisabled = TRUE
loginAllowedTimeMap =
groupMembership = cn=Everyone,ou=Staff,ou=Site,o=TEST
groupMembership = cn=Internet,ou=Staff,ou=Site,o=TEST
cn = user1
ACL = 2#subtree#cn=user1,ou=Staff,ou=Site,o=TEST#[All Attributes Rights]
ACL = 6#entry#cn=user1,ou=Staff,ou=Site,o=TEST#loginScri pt
ACL = 2#entry#[Public]#messageServer
ACL = 2#entry#[Root]#groupMembership
ACL = 6#entry#cn=user1,ou=Staff,ou=Site,o=TEST#printJobC onfiguration
ACL = 2#entry#[Root]#networkAddress

When I query a fresh new tree I get the following results:

Enumerating attributes for DN : cn=user1,ou=Staff,ou=Site,ou=Test,o=sduhsd
mail = user.1@sduhsd.net
givenName = user
sn = 1
objectClass = inetOrgPerson
objectClass = organizationalPerson
objectClass = Person
objectClass = ndsLoginProperties
objectClass = Top


How can I tighten things up?

Thanks,
Matt