Re: (ITS#5760) attribute hiding in rwm overlay

Thursday, 30 October 2008

[please reply to the ITS]

Brett @Google wrote:
...
 trying some different things with the last release.

 very interesting that rwm-map works with operational attributes, i can see
 hasSubordinates, subschemaSubentry, entryUUID but not the other
 non-operational attributes. Odd.

 # these dont
 rwm-map attribute cn *
 rwm-map attribute sn *
 rwm-map attribute givenName *
 rwm-map attribute mail *
 rwm-map attribute c *
 rwm-map attribute o *
 rwm-map attribute ou *

 # these work
 rwm-map attribute hasSubordinates *
 rwm-map attribute subschemaSubentry *
 rwm-map attribute entryUUID *

 # this enabled
 rwm-map attribute * 
Some operational attrs are generated and not stored in the entry 
(hasSubordinates, entryDN, subschemaSubentry, ...).  As a consequence, 
they are not yet present in the entry when overlays see it during response.

slapo-rwm(5), in the operational() hook, could muck with generated 
operational attrs.  Currently, it remaps names, but does not consider 
removing disallowed attributes, AFAIR.

I do not favor mucking too much with operational attrs, as they are... 
operational.  I agree about the opportunity to rewrite the entryDN in 
order to support virtual views (what slapo-rwm(5) should actually do is 
replace any occurrence of entryDN in a SearchResultEntry with the 
entry's DN, if it differs), but probably we should disallow, for 
example, rewriting of creatorsName and modifiersName.

If there is anywhing you want to hide to clients, you should rather use 
ACLs.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando(a)sys-net.it
-----------------------------------

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006