[Date Prev][Date Next] [Chronological] [Thread] [Top]

"Hide" certain DNs

I'm looking for a way to prevent a specific DN from a remote server
from showing up when being accessed through back-ldap (specifically,

I have tried something like this:

access to dn.base="cn=psu.facstaff,dc=psu,dc=edu"
    by * none

This actually ended up preventing other dn's from showing up.

If I prevent only attrs=member,memberUid, that mostly works, but I
take it the ACLs are being applied after it has already searched, so
it still takes forever to return (one of my mac clients is taking
close to a minute to enumerate group membership because of this).

For anyone that's curious, the reason for doing this is psu.facstaff
is a group, and it has something around 64k attributes on it, which is
bringing my local openldap server to its knees sadly.

Andy Cobaugh