On Sun, 2008-03-30 at 07:17 +1100, Alex Samad wrote: > > That would be a solution but not something I would want to > > implement. If it were some sort of search already I could add it but > > since this is an attribute lookup like any other. > > shouldn't be that hard to do, from my limit knowledge of looking at > the code, I guess at that point you already have the dn, it should be > a simple as search for (&(dn=<cached dn>)(objectclass=<value you are > looking for>)), if you get back 1 object (or more ??) then true else > false
It starts a full new search for an attribute lookup which is a bit ugly. Also, the added value of this is close to zero because if you don't allow lookups of objectClass you're bound to not allow lookups of userPassword (the only reason the objectClass is queried). Since the warning is gone now I would leave it at that (unless you can come with good arguments). > > By the way, is there any specific reason why you don't want to allow > > lookups of objectClass of any entries? > > gives you access to which groups are available, for example you could > find out all the different group names that are available I don't understand this. Also this is what NSS does with 'getent group'. If you use objectClass for some sort of ACLs I could imagine something though. -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
