jorge.perez.burgos@ericsson.com wrote:

Full_Name: Jorge Perez Burgos Version: 2.4.21 OS: linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (195.235.15.243)

I'd suggest to introduce a "subtree-include" directive, mutually exclusive with "subtree-exclude", with different syntaxes, like:

"[dn[.<style>]:]<pattern>"

where <style> can be "subtree" or "regex" (other styles like "exact", "onelevel", "subordinate" could make sense but would be of limited usefulness); so, for example

"dn.subtree:<dn>" ("dn.subtree" implicit for backward compatibility) "dn.regex:<pattern>"

The "dn.<style>:" prefix is consistent with other features like ACLs, limits and so. There's ITS#5877 open about making this uniform across slapd for all features.

Multiple patterns could be defined; the first that matches would stop execution. If configured as "subtree-exclude", a match would qualify the target as "non-candidate" (current behavior for "subtree-exclude"). If configured as "subtree-include", a match would qualify the target as "candidate".

Jorge and I discussed this off-line; suggestions are welcome, otherwise I'd implement it this way right now with ad-hoc code, and eventually turn it into a generally useful feature that could be reused in ACLs, limits, authz, and in other to-be-defined features.

p.