Not sure about altServer or ACL's but the namingContext can be altered by partitioning your tree. All partition roots will show
up as naming contexts.

Best regards,

On 2012-05-10 06:56, lpavic wrote:
> Does anyone know is it possible to control the altServer and
> namingcontexts attributes or possibly control which user (i.e. ACL) can
> query for those attributes?
> I have a customer where I implemented OSX integration by extending the
> schema a couple of years ago. Everything was working fine (including
> WorkGroup manager for management of the preferences on user, computer
> and user and computer group objects) until the Lion came along.
> I spent days analysing the network traces, and it is clear that Lion
> ignores the ldap configuration, but as soon as it cannot get something
> from the configured server, it queries that server for the
> namingcontexts and altServer attributes, and then it's free for all from
> what I can see.
> It keeps hitting different servers randomly, but it looks like it tries
> the servers with lowest IP address first.
> There are a couple of issue with this:
> 1) Load balancer became totally useless. While initially a connection
> is made through it (when the computer is configured to connect to eDir)
> later on, it is hitting the real servers
> 2) Customer has many replicas, and unfortunately, each replica is a
> separate naming context. So when Lion queries DSE Root, it gets all
> these responses it needs to go through and query individually until it
> finds the naming context that has osx part of the eDir. Sometimes it
> gives up after a while, so managed preferences do not get loaded on the
> computer
> 3) DSfW has also been implemented recently, and this adds further
> complexity as AD naming context returned by DSfW is also completely
> different and even forcing everything to go to port 1389 does not work,
> as good old Apple is shipping out beta quality software all the time,
> and irrespective of the configuration it is still trying port 389 like
> crazy.
> So, one idea for the resolution of this problem is to either not
> respond to those queries unless you're authenticated with an appropriate
> credentials, which could force Lion to behave like previous versions and
> just use the configured ldap server or the ldapreplicas record in the
> eDirectory. Or another one would be to provide the options in the ldap
> server object, so that we can respond by the load balancer's virtual IP
> when altServer is requested (or only the servers that do not have DSfW),
> and also to be able to define the namingcontexts that will be returned
> to the ldap client. Either way, I need to be able to control these
> options if possible, and the question is if someone has done it before,
> or whether Novell/netIQ are looking at providing this functionality to
> make eDir more useable (I understand AD and OD have some of this
> functionality).
> This is the first time I came across the application that actually uses
> this method of finding out more about the ldap directory in order to
> enhance its ability, so don't think it would matter much if we can
> define those attributes to the values we find appropriate in different
> situations.
> Thanks.