[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: meta backend and substring searches



> Is it possible to disallow a substring search without changing the
> schema?
>
> A bit more background:
> I set up a meta backend connecting to different servers.
> Read access is only allowed for cn and mail and userCertificate.
> For I don't want any user to get cn's or mail-addresses by a substring
> search I want to disallow it, so a user have to know the complete cn or
> mail-address to get the attributes. It can easily be done by deleting
> the SUBSTR filter in the schema.
> But is there another way?
> BTW: sizelimit 1 is not what I want.

This is not related to back-meta.  Simply, you should define
your own attrs without substring match, and use them.

If you want a per-user solution (i.e. only some users
should not be able to do substring search) you may try
to use 2.1 limits (on the targets, not in back-meta)
to limit the number of candidates; you need to set limits
for "size.unchecked=<n>" with a low figure for <n>, such
that a search for "cn=*", that is likely to return a lot
of candidates, is surely caught, but not too low,
so that a search for "sn=Smith", wich may legally return
more than one candidate, is not caught.

See slapd.conf(5) for details.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it