[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5760) attribute hiding in rwm overlay

[please reply to the ITS]

Brett @Google wrote:
> trying some different things with the last release.
> very interesting that rwm-map works with operational attributes, i can see
> hasSubordinates, subschemaSubentry, entryUUID but not the other
> non-operational attributes. Odd.
> # these dont
> rwm-map attribute cn *
> rwm-map attribute sn *
> rwm-map attribute givenName *
> rwm-map attribute mail *
> rwm-map attribute c *
> rwm-map attribute o *
> rwm-map attribute ou *
> # these work
> rwm-map attribute hasSubordinates *
> rwm-map attribute subschemaSubentry *
> rwm-map attribute entryUUID *
> # this enabled
> rwm-map attribute *

Some operational attrs are generated and not stored in the entry 
(hasSubordinates, entryDN, subschemaSubentry, ...).  As a consequence, 
they are not yet present in the entry when overlays see it during response.

slapo-rwm(5), in the operational() hook, could muck with generated 
operational attrs.  Currently, it remaps names, but does not consider 
removing disallowed attributes, AFAIR.

I do not favor mucking too much with operational attrs, as they are... 
operational.  I agree about the opportunity to rewrite the entryDN in 
order to support virtual views (what slapo-rwm(5) should actually do is 
replace any occurrence of entryDN in a SearchResultEntry with the 
entry's DN, if it differs), but probably we should disallow, for 
example, rewriting of creatorsName and modifiersName.

If there is anywhing you want to hide to clients, you should rather use 


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it