Search profiles give an administrator a way to restrict the searches that specified users can perform. This is useful, for example, if you want to ensure that some users do not perform potentially performance-affecting searches.
A search profile specifies a category of searches. It defines the category in terms of the scope and the filter of the search. For more information on how to specify a search profile, see the set allow-search command.
When a user requests a search, the DSA checks the search request against the user's search profiles and only accepts the request if the search matches one of the profiles.
Example: A Restrictive Search Profile
A simple example is a search profile that only allows searches that have a base-object scope and an equality match filter. If a user is restricted to such a search profile, then neither of the following LDAP searches would be allowed:
ldapsearch -h host:30000 -b "cn=SIM,ou=Views,o=ACME" -s subtree (cn=John Smith) SIMCardNumber ldapsearch -h host:30000 -b "cn=SIM,ou=Views,o=ACME" -s baseobject (baseObject=*) SIMCArdNumber
However, the following LDAP search would be allowed:
ldapsearch -h host:30000 -b "cn=SIM,ou=Views,o=ACME" -s baseobject (cn=John Smith) SIMCArdNumber
Example: A Non-restrictive Search Profile
You can specify a search profile that allows any search. If this profile is assigned to a role, then any user with that role can perform any search, even if the user's other roles have more restricted search profiles. This is useful if you want to create a group of unrestricted users, while still restricting the searches of users who are not in the group.
Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |