[please reply to the ITS]

Brett @Google wrote:

trying some different things with the last release.

very interesting that rwm-map works with operational attributes, i can see hasSubordinates, subschemaSubentry, entryUUID but not the other non-operational attributes. Odd.

# these dont rwm-map attribute cn * rwm-map attribute sn * rwm-map attribute givenName * rwm-map attribute mail * rwm-map attribute c * rwm-map attribute o * rwm-map attribute ou *

# these work rwm-map attribute hasSubordinates * rwm-map attribute subschemaSubentry * rwm-map attribute entryUUID *

# this enabled rwm-map attribute *

Some operational attrs are generated and not stored in the entry (hasSubordinates, entryDN, subschemaSubentry, ...). As a consequence, they are not yet present in the entry when overlays see it during response.

slapo-rwm(5), in the operational() hook, could muck with generated operational attrs. Currently, it remaps names, but does not consider removing disallowed attributes, AFAIR.

I do not favor mucking too much with operational attrs, as they are... operational. I agree about the opportunity to rewrite the entryDN in order to support virtual views (what slapo-rwm(5) should actually do is replace any occurrence of entryDN in a SearchResultEntry with the entry's DN, if it differs), but probably we should disallow, for example, rewriting of creatorsName and modifiersName.

If there is anywhing you want to hide to clients, you should rather use ACLs.

p.

Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------