[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: meta backend and substring searches

To: <awenz@mtgnet.de>
Subject: Re: meta backend and substring searches
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Thu, 27 Feb 2003 11:32:10 +0100 (CET)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <3E5DC0FC.9030308@mtgnet.de>
References: <3E5DC0FC.9030308@mtgnet.de>

> Is it possible to disallow a substring search without changing the
> schema?
>
> A bit more background:
> I set up a meta backend connecting to different servers.
> Read access is only allowed for cn and mail and userCertificate.
> For I don't want any user to get cn's or mail-addresses by a substring
> search I want to disallow it, so a user have to know the complete cn or
> mail-address to get the attributes. It can easily be done by deleting
> the SUBSTR filter in the schema.
> But is there another way?
> BTW: sizelimit 1 is not what I want.

This is not related to back-meta.  Simply, you should define
your own attrs without substring match, and use them.

If you want a per-user solution (i.e. only some users
should not be able to do substring search) you may try
to use 2.1 limits (on the targets, not in back-meta)
to limit the number of candidates; you need to set limits
for "size.unchecked=<n>" with a low figure for <n>, such
that a search for "cn=*", that is likely to return a lot
of candidates, is surely caught, but not too low,
so that a search for "sn=Smith", wich may legally return
more than one candidate, is not caught.

See slapd.conf(5) for details.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

References:
- meta backend and substring searches
  - From: Armin Wenz <awenz@mtgnet.de>

Prev by Date: ldbm and bdb
Next by Date: RE: Build problem (maybe)
Index(es):
- Chronological
- Thread