Problem with searches on unindexed attributes

[Marc-Andre Gaudreau <Marc-Andre.Gaudreau@USherbrooke.ca>]

Hi,

Here is my problem...

When I do an anonymous search on an unindexed attribute, the load on my 
server goes way up (a slapd process takes all the cpu).  Turning on 
heavy logging, I was able to see that this process actually goes through 
all of our 40,000 records and checks if "anonymous" can perform a search 
operation on this attribute for this record (which he can't because we 
block pretty much everything to "anonymous" in our ACLs).  Of course, 
doing this takes a lot of time.  If I do the same thing on an indexed 
attribute, it only goes through a few records instead of all of them 
(which is correct).

Currently, this is only a minor problem since only a few trusted servers 
can communicate with our ldap server and we simply don't perform 
searches on unindexed attributes.  However, this will change soon and we 
don't want somebody to put the server down by sending a bunch of 
anonymous searches on unindexed attributes.

Of course, building indexes on all the attributes would solve the 
problem.  However, I already have indexes for all the attributes on 
which I want to allow searches (my ACLs block searches on all the other 
attributes anyway) and don't really need more (I've got a lot of 
unindexed attributes).

Is there any way to completely disable searches on an attribute?  Any 
way to make the process return without going through all the records?

Thanks.