[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Limits on anonymous binds
> I'd prefer we use allow
> limits {anonymous,users,dn[.{regex,base,one,subtree,exact}]=...}
>
I've just committed a fix that does this.
> (ala ACL dn fields) where each backend maintained a list of these,
> first match wins.
The limits already are per-backend, except global default limits
can be defined, with the old style:
timelimit [time.{soft|hard}=]<n>
sizelimit [size.{soft|hard|unchecked}=]<n>
Mark, after some thought I think Kurt's solution of using
pattern = "anonymous"
looks cleaner than using an "anonymous" modifier for dn (i.e. "dn.anonymous");
however I left your change in place until some agreement is reached.
Another point that will possibly arise is that in presence of many
limits (sort of pre-acls) their use may cause some overhead (of course
ridicolous if compared to that of ACLs), but we might need some caching.
A first guess is to store the each backend's matching limit in the
connection (as soon as a backend is searched, rather than in advance),
and disregard them as soon as a rebind is made.
I think we need to see what's their impact on the load.
Pierangelo.