On Fri, Dec 7, 2012 at 6:20 AM, Emmanuel Lécharny <elecharny@gmail.com> wrote:

I'm trying to add the entryDN operational attribute, as it's present in
OpenLDAP and we get it when setting up replication. This attribute is
computed on the fly, and can be used in attribute value assertion (cf
RFC 5020).

We have to ways to implement this AT :
1) In the OperationalAttributeInterceptor
2) In the backend

Here are the operation we have to do :

Add operation : in any case, we must remove the EntryDN attribute, if
it's present, before we hit the backend
Modify operation : same thing
Rename operation : same thing
Move operation : nothing to do
Lookup operation : we have to add the entryDn, but only if the user has
requested it (+, or explicitely).
Search operation : for each entry, we have to add the EntryDn AT if
requested(+, or explicitely).

I think it's easier, considering those constraints, to do the work, in
the backend. This may have some impact on the entry cache too.

I will investigate a bit more on detail the two approach (I have played
a bit with both approaches, but haven't set my mind yet.

any thoughts ?

I prefer the first approach clubbed with modifying the BaseEntryFilteringCursor to inject
entryDN attribute when requested
Emmanuel Lécharny

Kiran Ayyagari