[please reply to the ITS] Brett @Google wrote: Some operational attrs are generated and not stored in the entry (hasSubordinates, entryDN, subschemaSubentry, ...). As a consequence, they are not yet present in the entry when overlays see it during response. slapo-rwm(5), in the operational() hook, could muck with generated operational attrs. Currently, it remaps names, but does not consider removing disallowed attributes, AFAIR. I do not favor mucking too much with operational attrs, as they are... operational. I agree about the opportunity to rewrite the entryDN in order to support virtual views (what slapo-rwm(5) should actually do is replace any occurrence of entryDN in a SearchResultEntry with the entry's DN, if it differs), but probably we should disallow, for example, rewriting of creatorsName and modifiersName. If there is anywhing you want to hide to clients, you should rather use ACLs. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------