[Date Prev][Date Next]
Re: (ITS#4942) configurable filter blocking
> ----- "h b furuseth" <email@example.com> wrote:
>> quanah@OpenLDAP.org writes:
>>> For example, I may want to block subfinal indices on the
>>> "suAffiliation" attribute in the cn=people,dc=stanford,dc=edu tree.
>> I should have added: Unless you've got a better answer than me for
>> why this is better than the "unchecked" limit, it might be more
>> useful to block "suAffiliation" from getting a "subfinal" index.
>> Then use the "unchecked" limit to block too general searches.
> Hi Hallvard,
> My reasoning comes from this: At my previous job we had a tree rooted at "dc=stanford,dc=edu". Controlling the indexing to allow/block certain types of searches has been very important, and the directory well tuned to that purpose. The following subtrees are what exist: cn=people, cn=accounts, and cn=organizations. cn=organizations is the newest subtree, and additional indexing had to be added on attributes that used to be indexed differently in the person tree. There is no desire to split the trees apart into their own databases, but indexing is per database (not per subtree).
> For example, displayName used to be indexed "eq" only. Now with organizations, we need to change the index to "eq,sub". So it would be nice to block substring filters of displayName in the cn=people tree, etc.
Should be simple enough to write an overlay that can be configured with
a URI and filter types to block. Just return Unwilling to Perform for
any matching patterns. Certainly not something that needs to be added to
the core code.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/