[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Hiding entries (Was: (ITS#3724) back_meta more sizelimit problems)

On Fri, 2005-05-13 at 19:08 +0200, Pierangelo Masarati wrote:
> If you want to discard selected values of a DN-valued attributes you can
> write rewrite rules for the "searchAttrDN" rewriteContext that return
> unwillingToPerform (i.e. use an optional flag of "#" at the end of the
> rewriteRule) in case of match.  This doesn't alter the result of the
> search operation, i.e. the entry is returned as appropriate, but the
> specific Dn-valued value is trimmed off.  For example:
> # ...
> rewriteContext  searchAttrDN
> rewriteRule     "^cn=[^,]+,dc=dontreturn,dc=com$" "" "#"
> # ...

I tried the # action in a searchResults context. My worry is that some
ldap clients may not like the like the "unwilling to perform" error when
their search returns some entries that are wanted and some that are
hidden. Ideally, what I was suggesting was like # but (when in a
searchResults context) returned no error, no entry and carried on to
return other entries that match from the remote server. However, what
you suggest below (with the searchFilter context), is probably a better
solution anyway.

> will strip all values of "member" tah are rooted at
> "dc=dontreturn,dc=com". This only applies to DN-valued attrs.
> If you want to discard entire entries based on filter or DN you can act on
> the "searchDN" and/or on the "searchFilterAttrDN" and "searchFilter"
> rewriteContexts to modify them; for instance, if you want to be sure that
> some filter is never used, you can AND it to the current filter, e.g.
> # ...
> rewriteContext  searchFilter
> rewriteRule     ".*" "(&(!(<filter-to-negate>))%0)" ":@"
> # ...

Yes, this works well for me:

rewriteRule ".*" "(&(uid=user*)%0)" ":@"

As I want to only select entries from the remote server that have a
known prefix e.g. uid=user001.

Finally, thanks (again) for all your help with this.


-- Dr MDT Evans, Computing Services, Queen Mary, University of London