I have another issue in mind: given the above specification, if the same
derefAttr appears in more than one DerefSpec, one could hardly tell
which DerefSpec one DerefRes belongs to. For example:
request: { { member { cn, sn } }, { member { uid } } }
response: { { member, "cn=ando" }, { member, "cn=ando" } }
because the client's identity had read access to entryDN but not to cn,
sn, uid attrs, we'd have a duplicate result. Of course, this could have
been much better formulated as
request: { { member { cn, sn, uid } } }
response: { { member, "cn=ando" } }
for this reason I'm inclined towards requesting that each derefAttr in a
sequence of DerefSpec to be unique.