[Date Prev][Date Next] [Chronological] [Thread] [Top]

rwm searchAttrDN rewrite skipping some rewrites

To: openldap-technical@openldap.org
Subject: rwm searchAttrDN rewrite skipping some rewrites
From: Scott Koranda <skoranda@gmail.com>
Date: Fri, 7 Dec 2012 16:09:43 -0600
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition:user-agent; bh=OEEP7qyt2VVT8OGi7PDcc5uOWTRbtqZDphvpWACX41M=; b=Sh4/1XtuZhLsf9wzdbCGGGudvkfLDhSXj1hHjXY/M9gSPr3OUgp5LpTqOxC3JvixAQ r1cxnBjNGtcMVD77n4L4oGfjyUnb9NmJOfys3xRedvphg6IpHe2Q8euFQgfLnNxjnRVB xpwDwIiMqDEBvjD/jNGswEUQA1Fj/JEZcQRBHAO0fmJPAQNimxZftUO7oG7z0agRpREk q6Fb0VhzCcJcPsEDvfXyYQyOdnEywYhikEjYLkl1DuZucJhzSxIT0/v5EBQDCBdRX1D6 Kz5O+eIMzbyDsDgtkiBXPab9ARFh7QinlJXuV8a4ZTdLlSyeO7L77CX97vexvH63tumu qDaA==
User-agent: Mutt/1.5.20 (2009-06-14)

Hi,

I am using OpenLDAP 2.4.33 and the rwm overlay.

I am attempting to remove ("hide") certain DN entries from
returned queries.

The rwm configuration looks like

overlay rwm
rwm-rewriteEngine on
rwm-rewriteContext searchAttrDN
rwm-rewriteRule "^employeeNumber=.*$" "$0" ":@"
rwm-rewriteRule "cn=.*" "" "#"

Without the rwm overlay the query with filter

'(&(objectClass=groupOfNames)(cn=LVCGroupMembers))' member

returns

dn: cn=LVCGroupMembers,ou=LVC,ou=Communities,ou=grouper,o=internal,dc=wiki,dc=myorg,dc=org
 member: employeeNumber=1377,ou=people,o=internal,dc=wiki,dc=myorg,dc=org
 member: cn=UWashingtonGroupMembers,ou=UWashington,ou=MOU,ou=LSC,ou=LVC,ou=Communities,ou=grouper,o=internal,dc=wiki,dc=myorg,dc=org
 member: employeeNumber=19,ou=people,o=internal,dc=wiki,dc=myorg,dc=org
 member: employeeNumber=1331,ou=people,o=internal,dc=wiki,dc=myorg,dc=org
 member: employeeNumber=935,ou=people,o=internal,dc=wiki,dc=myorg,dc=org
 member: employeeNumber=459,ou=people,o=internal,dc=wiki,dc=myorg,dc=org
 member: employeeNumber=876,ou=people,o=internal,dc=wiki,dc=myorg,dc=org

 <snip>

I want to "hide" the members with DNs of the form "cn=*" (I
want to squash the nested groups).

With the rwm configuration above the hiding almost works--93
of member DNs are "hidden", but 3 are not:

$ ldapsearch -D "<some bind dn>" -w password -x -LLL -b 'dc=wiki,dc=myorg,dc=org' -H ldaps://server.somewhere '(&(objectClass=groupOfNames)(cn=LVCGroupMembers))' member | grep cn
dn: cn=LVCGroupMembers,ou=LVC,ou=Communities,ou=grouper,o=internal,dc=wiki,dc=
member: cn=AGWGGroupMembers,ou=AGWG,ou=MOU,ou=LSC,ou=LVC,ou=Communities,ou=gro
member: cn=GWUGroupMembers,ou=GWU,ou=MOU,ou=LSC,ou=LVC,ou=Communities,ou=group
member: cn=ULBGroupMembers,ou=ULB,ou=MOU,ou=LSC,ou=LVC,ou=Communities,ou=group

I checked and the 3 DNs that survive are not different in any
substantial way then the 97 DNs that are effectively hidden.

Any ideas why the 3 DNs survive the rewriting?

Thanks,

Scott

Follow-Ups:
- Re: rwm searchAttrDN rewrite skipping some rewrites
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Search for the last gidNumber/uidNumber
Next by Date: Re: rwm searchAttrDN rewrite skipping some rewrites
Index(es):
- Chronological
- Thread