[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: meta backend and substring searches
> Is it possible to disallow a substring search without changing the
> schema?
>
> A bit more background:
> I set up a meta backend connecting to different servers.
> Read access is only allowed for cn and mail and userCertificate.
> For I don't want any user to get cn's or mail-addresses by a substring
> search I want to disallow it, so a user have to know the complete cn or
> mail-address to get the attributes. It can easily be done by deleting
> the SUBSTR filter in the schema.
> But is there another way?
> BTW: sizelimit 1 is not what I want.
This is not related to back-meta. Simply, you should define
your own attrs without substring match, and use them.
If you want a per-user solution (i.e. only some users
should not be able to do substring search) you may try
to use 2.1 limits (on the targets, not in back-meta)
to limit the number of candidates; you need to set limits
for "size.unchecked=<n>" with a low figure for <n>, such
that a search for "cn=*", that is likely to return a lot
of candidates, is surely caught, but not too low,
so that a search for "sn=Smith", wich may legally return
more than one candidate, is not caught.
See slapd.conf(5) for details.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it