[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4942) configurable filter blocking

quanah@zimbra.com wrote:
> ----- "h b furuseth" <h.b.furuseth@usit.uio.no> wrote:
>> quanah@OpenLDAP.org writes:
>>> For example, I may want to block subfinal indices on the
>>> "suAffiliation" attribute in the cn=people,dc=stanford,dc=edu tree.
>> I should have added: Unless you've got a better answer than me for
>> why this is better than the "unchecked" limit, it might be more
>> useful to block "suAffiliation" from getting a "subfinal" index.
>> Then use the "unchecked" limit to block too general searches.
> Hi Hallvard,
> My reasoning comes from this:  At my previous job we had a tree rooted at "dc=stanford,dc=edu".  Controlling the indexing to allow/block certain types of searches has been very important, and the directory well tuned to that purpose.  The following subtrees are what exist: cn=people, cn=accounts, and cn=organizations.  cn=organizations is the newest subtree, and additional indexing had to be added on attributes that used to be indexed differently in the person tree.  There is no desire to split the trees apart into their own databases, but indexing is per database (not per subtree).
> For example, displayName used to be indexed "eq" only.  Now with organizations, we need to change the index to "eq,sub".  So it would be nice to block substring filters of displayName in the cn=people tree, etc.
> --Quanah

Should be simple enough to write an overlay that can be configured with 
a URI and filter types to block. Just return Unwilling to Perform for 
any matching patterns. Certainly not something that needs to be added to 
the core code.

   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/