The root Directory Server entry (the entry returned for a base object search with a zero-length DN "") and the subtrees below cn=config, cn=monitor, and cn=schema contain access control instructions (ACIs) that are automatically generated by Directory Server. These ACIs are used to determine user permissions to directory entries. These ACIs are sufficient for evaluation purposes. However, for any production deployment, you need to evaluate your access control requirements and design your own access controls.
If you want to hide the existence of one or more additional subtrees and protect your configuration information for security reasons, you must place additional ACIs on the DIT.
Place an ACI attribute in the entry at the base of the subtree you want to hide.
Place an ACI in the root DSE entry on the namingContexts attribute. The root DSE entry attribute called namingContexts contains a list of the base DNs for each of the Directory Server databases.
Place an ACI on the cn=config and cn=monitor subtrees. The subtree DNs are also stored in the mapping tree entries below cn=config and cn=monitor.
For more information about creating ACIs, see Chapter 6, Directory Server Access Control.