[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#4316) proxycache attrsets
Pierangelo Masarati wrote:
>> Full_Name: Howard Chu
>> Version: 2.3
>> OS:
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (24.126.120.178)
>> Submitted by: hyc
>>
>>
>> The Admin Guide example
>> http://www.openldap.org/doc/admin23/proxycache.html
>> indicates that an attrset will be used if it is a superset of the
>> attributes
>> present in a particular search query. However, the get_attr_set/attrscmp
>> functions will only match a set if it is exactly equal to the attrs in the
>> query. The documented behavior would certainly be more useful.
>>
>
> I think this has been suggested many times (I'll dig in the archives) but
> AFAIR there was some technical answer which I don't recall that prevented
> it.
>
>
Actually, if you notice the find_supersets() function in the code, the
design was intended to behave as documented. It is simply broken.
>> It would make even more sense to always use all the attrs in the attrset
>> on the
>> remote query, so that they'll all be in the cache, regardless of what
>> subsets of
>> the attrset are used in a specific query.
>>
>
> Don't forget access control issues; I think by playing with attrsets they
> can be limited, e.g. by only caching public searches or so. In any case,
> I'd leave the possibility to define attrsets.
>
I really don't see that allowing subsets of attrsets to work as desired
has any impact on the overall access control policies.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/