hyc(a)symas.com wrote: > Andrew Findlay wrote: >> On Wed, Feb 23, 2011 at 08:58:33AM +0000, hyc(a)symas.com wrote: >> >>> Possibly we can extend the directive to handle exclusion as well as inclusion, >>> to simplify this case. >> Extending this idea slightly, would it be possible to have >> exclusions based on changes to specific attributes? The >> particular case I have in mind is where accesslog is used to >> keep a permanent audit log of changes, and ppolicy is also >> in use, resulting in one audit entry for every login >> failure. I have one site where a large proportion of the auditlog >> entries are login failures... > > Perhaps in that case, it would be simpler just to set ppolicy's mods to be > internal-only and bypass the accesslog overlay. (Currently it does this > already, if the server is a single-master replica.) > > So far you're talking about two different enhancements - the original poster > is trying to exclude a set of searches, and you're talking about excluding > modify ops. I'm not seeing any way yet to generalize from here such that all > operation types are addressed meaningfully, and I don't want to introduce > multiple special cases to the config language. A URI-based restriction specification could include/exclude based on suffix, filter and listed attributes with a unified syntax.