I'm looking for a way to prevent a specific DN from a remote server
from showing up when being accessed through back-ldap (specifically,
slapo-translucent).
I have tried something like this:
access to dn.base="cn=psu.facstaff,dc=psu,dc=edu"
by * none
This actually ended up preventing other dn's from showing up.
If I prevent only attrs=member,memberUid, that mostly works, but I
take it the ACLs are being applied after it has already searched, so
it still takes forever to return (one of my mac clients is taking
close to a minute to enumerate group membership because of this).
For anyone that's curious, the reason for doing this is psu.facstaff
is a group, and it has something around 64k attributes on it, which is
bringing my local openldap server to its knees sadly.
--
Andy Cobaugh