Hi,

I am using OpenLDAP 2.4.33 and the rwm overlay.

I am attempting to remove ("hide") certain DN entries from returned queries.

The rwm configuration looks like

overlay rwm rwm-rewriteEngine on rwm-rewriteContext searchAttrDN rwm-rewriteRule "^employeeNumber=.*$" "$0" ":@" rwm-rewriteRule "cn=.*" "" "#"

Without the rwm overlay the query with filter

'(&(objectClass=groupOfNames)(cn=LVCGroupMembers))' member

returns

dn: cn=LVCGroupMembers,ou=LVC,ou=Communities,ou=grouper,o=internal,dc=wiki,dc=myorg,dc=org member: employeeNumber=1377,ou=people,o=internal,dc=wiki,dc=myorg,dc=org member: cn=UWashingtonGroupMembers,ou=UWashington,ou=MOU,ou=LSC,ou=LVC,ou=Communities,ou=grouper,o=internal,dc=wiki,dc=myorg,dc=org member: employeeNumber=19,ou=people,o=internal,dc=wiki,dc=myorg,dc=org member: employeeNumber=1331,ou=people,o=internal,dc=wiki,dc=myorg,dc=org member: employeeNumber=935,ou=people,o=internal,dc=wiki,dc=myorg,dc=org member: employeeNumber=459,ou=people,o=internal,dc=wiki,dc=myorg,dc=org member: employeeNumber=876,ou=people,o=internal,dc=wiki,dc=myorg,dc=org

<snip>

I want to "hide" the members with DNs of the form "cn=*" (I want to squash the nested groups).

With the rwm configuration above the hiding almost works--93 of member DNs are "hidden", but 3 are not:

$ ldapsearch -D "<some bind dn>" -w password -x -LLL -b 'dc=wiki,dc=myorg,dc=org' -H ldaps://server.somewhere '(&(objectClass=groupOfNames)(cn=LVCGroupMembers))' member | grep cn dn: cn=LVCGroupMembers,ou=LVC,ou=Communities,ou=grouper,o=internal,dc=wiki,dc= member: cn=AGWGGroupMembers,ou=AGWG,ou=MOU,ou=LSC,ou=LVC,ou=Communities,ou=gro member: cn=GWUGroupMembers,ou=GWU,ou=MOU,ou=LSC,ou=LVC,ou=Communities,ou=group member: cn=ULBGroupMembers,ou=ULB,ou=MOU,ou=LSC,ou=LVC,ou=Communities,ou=group

I checked and the 3 DNs that survive are not different in any substantial way then the 97 DNs that are effectively hidden.

Any ideas why the 3 DNs survive the rewriting?

Thanks,

Scott