[Date Prev][Date Next] [Chronological] [Thread] [Top]

"Hide" certain DNs

To: openldap-software@openldap.org
Subject: "Hide" certain DNs
From: "Andrew Cobaugh" <phalenor@gmail.com>
Date: Tue, 13 May 2008 12:21:45 -0400
Content-disposition: inline

I'm looking for a way to prevent a specific DN from a remote server
from showing up when being accessed through back-ldap (specifically,
slapo-translucent).

I have tried something like this:

access to dn.base="cn=psu.facstaff,dc=psu,dc=edu"
    by * none

This actually ended up preventing other dn's from showing up.

If I prevent only attrs=member,memberUid, that mostly works, but I
take it the ACLs are being applied after it has already searched, so
it still takes forever to return (one of my mac clients is taking
close to a minute to enumerate group membership because of this).

For anyone that's curious, the reason for doing this is psu.facstaff
is a group, and it has something around 64k attributes on it, which is
bringing my local openldap server to its knees sadly.


-- 
Andy Cobaugh

Follow-Ups:
- Re: "Hide" certain DNs
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: OpenLDAP as proxy for another LDAP-Server [Virus checked]
Next by Date: searching for attributes containing eg. german umlauts
Index(es):
- Chronological
- Thread