Snippet from the documentation

Policies

There are two security policies that can be configured:

The Publish Policy should be enabled if you have external applications accessing the directory, for example network-attached storage servers.
The Accounts Access should be enabled if you have external applications requiring account information, for example adding the Global Address book feature in the Thunderbird mail client.

I'll try to explain. This is what I think but if I'm wrong please correct me.

Publish Policy is for authentication thus authenticate against LDAP.

Account Access is a step further. You can retrieve information from LDAP account. Like a address.

I guess also that, but bind information already provide access to LDAP.

flexshare apache file do not use bind information to use LDAP for authentification however some apache config file do... like this one :

# Upload Apache conf



Alias /upload /home/lazer/Finance/Comptes/Upload



<Directory /home/lazer/Finance/Comptes/Upload>

 AllowOverride Options FileInfo

 AuthType Basic

 AuthName "File Upload restricted access"

 include /etc/httpd/conf.d/ldap.auth



# HTTPS forced (if needed)

 RewriteEngine On

 RewriteCond %{HTTPS} off

 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}



# Upload large files

 php_value memory_limit  128M

 php_value post_max_size 64M

 php_value upload_max_filesize 40M

</Directory>

and I get lot of trouble with both apache login on flexshare AND with this config when policy if was off. I also can't connect with FTP...

So i try to get a better understanding of what this setting means and change...

ldap.auth :

# ldap Authenticate users from ClearOS OpenLDAP



 AuthType Basic

 AuthBasicProvider ldap



# Bind to OpenLDAP

 AuthLDAPBindDN cn=manager,ou=Internal,dc=xxx,dc=xxx

 AuthLDAPBindPassword xxxxxx



# Authorize access to users defined here (change 'userX')

 AuthLDAPURL ldap://localhost/ou=Users,ou=Accounts,dc=xxx,dc=xxx

#Require ldap-user lazer

 Require ldap-group cn=MY_GROUP,ou=Groups,ou=Accounts,dc=xxx,dc=xxx



# Uncomment these three lines if access needed without auth (from this LAN IP)

Order Allow,Deny

Allow from 10.

Deny from 10.0.0.138

Satisfy any

This config was working on my previous install on COS 6.6 and use LDAP auth when connexion is from network otherwise no auth is required....

Now Auht is required all the time....

I don't know about Accounts Access, but for Publish Policy:-

Disabled = Disabled from LAN and WAN, accessible to localhost by LDAP (tcp:389) and LDAPS (tcp:636)
Local Network = Accessible to localhost by LDAP and LDAPS, also accessible to LAN by LDAPS
All Networks = Accessible to localhost by LDAP and LDAPS, also accessible to LAN and WAN by LDAPS

You need to tinker with the start up files to allow LDAP (as opposed to LDAPS) from the LAN or WAN.

As a corollary of this, any service running in ClearOS (FTP, flexshares, Apache etc) should work with Publish Policy disabled. You should be able to see how ldap is listening with something like:

netstat -npl | egrep '389|636'

[edit]
OK so it is different between 6.x and 7.x. 7.x does not listen on LDAPS for localhost; 6.x does.
[/edit]