[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5760) attribute hiding in rwm overlay
[please reply to the ITS]
Brett @Google wrote:
> trying some different things with the last release.
>
> very interesting that rwm-map works with operational attributes, i can see
> hasSubordinates, subschemaSubentry, entryUUID but not the other
> non-operational attributes. Odd.
>
> # these dont
> rwm-map attribute cn *
> rwm-map attribute sn *
> rwm-map attribute givenName *
> rwm-map attribute mail *
> rwm-map attribute c *
> rwm-map attribute o *
> rwm-map attribute ou *
>
> # these work
> rwm-map attribute hasSubordinates *
> rwm-map attribute subschemaSubentry *
> rwm-map attribute entryUUID *
>
> # this enabled
> rwm-map attribute *
Some operational attrs are generated and not stored in the entry
(hasSubordinates, entryDN, subschemaSubentry, ...). As a consequence,
they are not yet present in the entry when overlays see it during response.
slapo-rwm(5), in the operational() hook, could muck with generated
operational attrs. Currently, it remaps names, but does not consider
removing disallowed attributes, AFAIR.
I do not favor mucking too much with operational attrs, as they are...
operational. I agree about the opportunity to rewrite the entryDN in
order to support virtual views (what slapo-rwm(5) should actually do is
replace any occurrence of entryDN in a SearchResultEntry with the
entry's DN, if it differs), but probably we should disallow, for
example, rewriting of creatorsName and modifiersName.
If there is anywhing you want to hide to clients, you should rather use
ACLs.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando@sys-net.it
-----------------------------------