[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Hiding entries (Was: (ITS#3724) back_meta more sizelimit problems)
- To: m.d.t.evans@qmul.ac.uk
- Subject: Hiding entries (Was: (ITS#3724) back_meta more sizelimit problems)
- From: "Pierangelo Masarati" <ando@sys-net.it>
- Date: Fri, 13 May 2005 19:08:38 +0200 (CEST)
- Cc: openldap-software@OpenLDAP.org
- Domainkey-signature: a=rsa-sha1; s=mail; d=sys-net.it; c=simple; q=dns; b=esG4Eu5SYR2fltzbz8Klcqwr46ZxFpFwXUVYhAlCzXlyBLjV+M4nhLdUoGZMHFN2x 8sz3LJBFvO8jb8iORPIUQ==
- Importance: Normal
- In-reply-to: <200505131627.j4DGRgPo065277@boole.openldap.org>
- References: <200505131627.j4DGRgPo065277@boole.openldap.org>
- User-agent: SquirrelMail/1.4.3a-1
[switching to -software to continue discussion]
> I think the problem that I was seeing was due to bad back-meta
> configuration and the fact that the filter for user1 actually matched
> entries in _both_ the local server and the remote servers. But the
> proxied user1 was being hidden from me by an access control list.
> Changing my search filter rewrite rule in the back-meta proxied tree to
> filter out the spurious, hidden, remote user1 entry solves the sizelimit
> problem.
>
> The remote server that I am using has many entries that I don't want to
> return. What would be nice would be to have an rewrite action for the
> searchResults context that could be used to discard entries. Is there a
> way of doing this?
Yes, there are different means for different purposes; I'm not quite sure
they all apply to 2.2, but they should.
If what you want to do is strip an attribute, you can map it to nothing, i.e.
map attribute uid
will discard "uid" from entries returned by the proxy, much like you would
do with a local ACL, except that that it works two ways, i.e. "uid" would
be stripped also when writing thru the proxy.
If you want to discard selected values of a DN-valued attributes you can
write rewrite rules for the "searchAttrDN" rewriteContext that return
unwillingToPerform (i.e. use an optional flag of "#" at the end of the
rewriteRule) in case of match. This doesn't alter the result of the
search operation, i.e. the entry is returned as appropriate, but the
specific Dn-valued value is trimmed off. For example:
# ...
rewriteContext searchAttrDN
rewriteRule "^cn=[^,]+,dc=dontreturn,dc=com$" "" "#"
# ...
will strip all values of "member" tah are rooted at
"dc=dontreturn,dc=com". This only applies to DN-valued attrs.
If you want to discard entire entries based on filter or DN you can act on
the "searchDN" and/or on the "searchFilterAttrDN" and "searchFilter"
rewriteContexts to modify them; for instance, if you want to be sure that
some filter is never used, you can AND it to the current filter, e.g.
# ...
rewriteContext searchFilter
rewriteRule ".*" "(&(!(<filter-to-negate>))%0)" ":@"
# ...
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497