Re: Disallowing Wildcard Searches ?

["Pierangelo Masarati" <masarati@aero.polimi.it>]

nate writes: 

> <quote who="Jerry Nicholls"> 
>
> > Basically I want a setup (a simple contacts list) where if you
> > aren't an authenticated user you cannot do a search using a filter
> > such as
> > "(mail=*)". You can only perform explicit searches.
>
> while i am new to LDAP, it seems you could set a default
> ACL of deny to all unless authenticated, then individually
> add ACLs for each of the fields and give it anonymous
> read access. 
>
> i haven't tried it, but it sounds like a good idea, i will
> probably play with it today and see if i can get it
> working. 
>
> if it does work, then i know more about ldap and openldap
> then i had thought! wow. only been using it for a couple
> days.

In HEAD code and in the forthcoming 2.1 alpha there's support
for granular check of the number of entries that are returned/handled;
in detail, you can set these limits based on the dn that initiated
the request (with subtree, regex and more matching clauses). The limits
can affect: the number of entries that are returned, the duration of
the operation, and (this is probably what you need) the number
of candidates that are checked (filter/acl) before returning.
By setting this limit to a reasonable value for non-authenticated
users you can obtain the filtering you need. 

Pierangelo. 

Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy   | http://www.aero.polimi.it/~masarati