UX: filter internal/operational object classes from LDAP schema display #434
Description
Summary
When discovering schema from OpenLDAP (and other RFC-compliant directories), the schema tab displays all structural object classes from the subschema — including internal/operational ones that administrators would never want to manage. This creates noise in the UI.
Examples of internal classes that appear but are never useful for identity management:
olc*classes (OpenLDAPcn=configbackend configuration:olcGlobal,olcDatabaseConfig,olcMdbConfig, etc.)audit*classes (accesslog overlay:auditAdd,auditBind,auditModify, etc.)- Legacy/obsolete classes (
pilotPerson,pilotDSA,pilotOrganization)
AD avoids this problem via defaultHidingValue=FALSE in its schema filter, which hides most internal classes. OpenLDAP has no equivalent mechanism.
Proposed Solution
Add optional filtering in the RFC 4512 schema discovery path to exclude known-internal object class prefixes. This could be:
- A hardcoded exclude list of known-internal prefixes (
olc,audit) — simple but brittle - A connector setting (e.g., "Object class exclude patterns") where admins can specify prefixes/patterns to filter — more flexible
- UI-side grouping/filtering — show all classes but group them with collapsible sections (e.g., "OpenLDAP Internal", "Accesslog", "Standard") so the useful ones are prominent
Option 2 or 3 is preferred for flexibility. The current behaviour is correct (all classes are discoverable), just noisy.
Context
Discovered during #72 Phase 5 (OpenLDAP end-to-end validation). The Yellowstone OpenLDAP connected system shows 65 object types, of which ~15 are actually useful for identity management. See screenshot in issue discussion.
Files
src/JIM.Connectors/LDAP/LdapConnectorSchema.cs—GetRfcSchemaAsync()method