Geert Hendrickx wrote: > Is there a way to restrict (acl?) searches using wildcards? AFAIK no. > For compliancly reasons, I want to allow certain (actually most) users to > search on eg. known email addresses, like: mail=user@example.org, but not > to retrieve a list of all users, like mail=*@example.org. > > Sizelimit restriction is not enough, because they could still iteratively > retrieve everything, without launching an actual dictionary attack on all > possible mail addresses, which would be much harder. You could remove SUBSTR matching rule from attribute type description of 'mail' (in core.schema or core.ldif). Caveats: 1. Probably you already know that tweaking standard schema is not recommend. 2. It disables sub-string matching on 'mail' completely. You might solve this by building a partial replica or a LDAP proxy dedicated to the exact search on known e-mail addresses. AFAICS other possibilities would be implementing an overlay or a dynacl module for your specific needs. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature