Previous Topic: Limit the Number of Concurrent Operations

Next Topic: Using Search Profiles

Search Profiles

Search profiles give an administrator a way to restrict the searches that specified users can perform. This is useful, for example, if you want to ensure that some users do not perform potentially performance-affecting searches.

A search profile specifies a category of searches. It defines the category in terms of the scope and the filter of the search. For more information on how to specify a search profile, see the set allow-search command.

When a user requests a search, the DSA checks the search request against the user's search profiles and only accepts the request if the search matches one of the profiles.

Example: A Restrictive Search Profile

A simple example is a search profile that only allows searches that have a base-object scope and an equality match filter. If a user is restricted to such a search profile, then neither of the following LDAP searches would be allowed:

ldapsearch -h host:30000 -b "cn=SIM,ou=Views,o=ACME" -s subtree (cn=John Smith) SIMCardNumber
ldapsearch -h host:30000 -b "cn=SIM,ou=Views,o=ACME" -s baseobject (baseObject=*) SIMCArdNumber

However, the following LDAP search would be allowed:

ldapsearch -h host:30000 -b "cn=SIM,ou=Views,o=ACME" -s baseobject (cn=John Smith) SIMCArdNumber

Example: A Non-restrictive Search Profile

You can specify a search profile that allows any search. If this profile is assigned to a role, then any user with that role can perform any search, even if the user's other roles have more restricted search profiles. This is useful if you want to create a group of unrestricted users, while still restricting the searches of users who are not in the group.

More information:

set allow-search Command—Define a Search Profile


Copyright © 2009 CA. All rights reserved. Email CA about this topic