----- "h b furuseth" <h.b.furuseth(a)usit.uio.no> wrote:
> quanah(a)OpenLDAP.org writes:
> > For example, I may want to block subfinal indices on the
> > "suAffiliation" attribute in the cn=people,dc=stanford,dc=edu tree.
>
> I should have added: Unless you've got a better answer than me for
> why this is better than the "unchecked" limit, it might be more
> useful to block "suAffiliation" from getting a "subfinal" index.
> Then use the "unchecked" limit to block too general searches.
Hi Hallvard,
My reasoning comes from this: At my previous job we had a tree rooted at "dc=stanford,dc=edu". Controlling the indexing to allow/block certain types of searches has been very important, and the directory well tuned to that purpose. The following subtrees are what exist: cn=people, cn=accounts, and cn=organizations. cn=organizations is the newest subtree, and additional indexing had to be added on attributes that used to be indexed differently in the person tree. There is no desire to split the trees apart into their own databases, but indexing is per database (not per subtree).
For example, displayName used to be indexed "eq" only. Now with organizations, we need to change the index to "eq,sub". So it would be nice to block substring filters of displayName in the cn=people tree, etc.
--Quanah