Geert Hendrickx wrote:
Is there a way to restrict (acl?) searches using wildcards?
AFAIK no.
For compliancly reasons, I want to allow certain (actually most) users to search on eg. known email addresses, like: mail=user@example.org, but not to retrieve a list of all users, like mail=*@example.org.
Sizelimit restriction is not enough, because they could still iteratively retrieve everything, without launching an actual dictionary attack on all possible mail addresses, which would be much harder.
You could remove SUBSTR matching rule from attribute type description of 'mail' (in core.schema or core.ldif).
Caveats:
1. Probably you already know that tweaking standard schema is not recommend.
2. It disables sub-string matching on 'mail' completely. You might solve this by building a partial replica or a LDAP proxy dedicated to the exact search on known e-mail addresses.
AFAICS other possibilities would be implementing an overlay or a dynacl module for your specific needs.
Ciao, Michael.