I'm looking for a way to prevent a specific DN from a remote server from showing up when being accessed through back-ldap (specifically, slapo-translucent).
I have tried something like this:
access to dn.base="cn=psu.facstaff,dc=psu,dc=edu" by * none
This actually ended up preventing other dn's from showing up.
If I prevent only attrs=member,memberUid, that mostly works, but I take it the ACLs are being applied after it has already searched, so it still takes forever to return (one of my mac clients is taking close to a minute to enumerate group membership because of this).
For anyone that's curious, the reason for doing this is psu.facstaff is a group, and it has something around 64k attributes on it, which is bringing my local openldap server to its knees sadly.