[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HEADS UP: specifying slapd listeners



At 09:51 AM 7/20/99 +0200, you wrote:
>> I've updated the SLAPD startup arguments to better handle
>> binding to specific addresses in lieu of TLS and other
>> additional listeners.  You can now have N listeners (of
>> which a subset can be TLS).  The default is "ldap:///";.
>
>Now an idea.  Could we use the extensions in the URL to specify things
>like the locale setting?

I hesitate to use the extensions for much more.  I think we will
need a fair amount of per-listener information in the future.  I'm
thinking it might be wise to place such in the configuration file.

	locale		X	# default locale

	listener	ldap:///
	locale		X

However, we need to be careful of which configuration items we
associate with listeners.  Listener options should be
orthogonal to backend/database configuration items.  If not
orthogonal, than clear rules must be established (such as
backend items always override listener items or vice versa).
In my opinion, defaults for items which are settable by the
client (sizelimit, timelimit, etc.) do make sense as per listener
defaults.  However, I am not sure about items which are not
(currently) specifiable by the client (ie: locale).  Of course,
you want locale to be per-listener because the client cannot
specify it.

>Or, gasp, a charset like was shown to be
>needed to support legacy, off-site, clients without duplicating data?
>
>And is this in daemon.c safe?:
>
>		if( isdigit( lud->lud_host[0] ) ) {

Yes, because if lud != NULL, lud->lud_host must be != NULL.
Or do you mean the isdigit() call?

>> I'll likely add ACL support for bind address/port, peer
>> address/port, and TLS status soon.

Basically, I liked to provide a who clause that ANDs together
multiple subclauses (the current ACLs don't allow subclauses)
so you can do things:
  by domain=.*\.mydomain\.com group="cn=admin,dc=mydomain,dc=com" write

Next is to support both sockname and peername information.
  by peer="^IP=10\.[^:]*:[^:]*$" sock="^IP=[^:]*:389$" read

For IP(v4), the peer/sock strings would be in
"IP=dot-address:numberic-port".  Other formats could be devised
for other protocols (IPv6 or whatever).

This would render by addr clauses obsolete.

As far as ACL for TLS goes, well, I could add a simple
	by [ secure ] [ insecure ] [ secure=* (default) ] ...

But, I assume there are different levels of "secure" we'd
want to take into account.

Kurt