[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Disallowing Wildcard Searches ?



nate writes:

<quote who="Jerry Nicholls">

Basically I want a setup (a simple contacts list) where if you
aren't an authenticated user you cannot do a search using a filter
such as
"(mail=*)". You can only perform explicit searches.

while i am new to LDAP, it seems you could set a default
ACL of deny to all unless authenticated, then individually
add ACLs for each of the fields and give it anonymous
read access.


i haven't tried it, but it sounds like a good idea, i will
probably play with it today and see if i can get it
working.


if it does work, then i know more about ldap and openldap
then i had thought! wow. only been using it for a couple
days.

In HEAD code and in the forthcoming 2.1 alpha there's support
for granular check of the number of entries that are returned/handled;
in detail, you can set these limits based on the dn that initiated
the request (with subtree, regex and more matching clauses). The limits
can affect: the number of entries that are returned, the duration of
the operation, and (this is probably what you need) the number
of candidates that are checked (filter/acl) before returning.
By setting this limit to a reasonable value for non-authenticated
users you can obtain the filtering you need.


Pierangelo.

Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano | mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy | http://www.aero.polimi.it/~masarati