I'm looking for a way to prevent a specific DN from a remote server from showing up when being accessed through back-ldap (specifically, slapo-translucent).
I have tried something like this:
access to dn.base="cn=psu.facstaff,dc=psu,dc=edu" by * none
This actually ended up preventing other dn's from showing up.
If I prevent only attrs=member,memberUid, that mostly works, but I take it the ACLs are being applied after it has already searched, so it still takes forever to return (one of my mac clients is taking close to a minute to enumerate group membership because of this).
For anyone that's curious, the reason for doing this is psu.facstaff is a group, and it has something around 64k attributes on it, which is bringing my local openldap server to its knees sadly.
Andrew Cobaugh writes:
I have tried something like this: access to dn.base="cn=psu.facstaff,dc=psu,dc=edu" by * none This actually ended up preventing other dn's from showing up.
Prevented others from showing up in what kind of searches? It also prevents you from using that DN as the base DN of a search. See OPERATION REQUIREMENTS in man slapd.access. If that's not intended, try 'by * =scxd' instead. See THE <ACCESS> FIELD in the manpage. Or omit the 'd' with older OpenLDAP versions.
openldap-software@openldap.org
-
Andrew Cobaugh -
Hallvard B Furuseth