[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Limits on anonymous binds

To: openldap-devel@OpenLDAP.org
Subject: Re: Limits on anonymous binds
From: Pierangelo Masarati <masarati@aero.polimi.it>
Date: Sat, 1 Dec 2001 15:29:18 +0100 (MET)

> I'd prefer we use allow
> limits {anonymous,users,dn[.{regex,base,one,subtree,exact}]=...}
>

I've just committed a fix that does this.

> (ala ACL dn fields) where each backend maintained a list of these,
> first match wins.

The limits already are per-backend, except global default limits 
can be defined, with the old style:

	timelimit	[time.{soft|hard}=]<n>
	sizelimit	[size.{soft|hard|unchecked}=]<n>

Mark, after some thought I think Kurt's solution of using 

	pattern = "anonymous"

looks cleaner than using an "anonymous" modifier for dn (i.e. "dn.anonymous");
however I left your change in place until some agreement is reached.

Another point that will possibly arise is that in presence of many
limits (sort of pre-acls) their use may cause some overhead (of course
ridicolous if compared to that of ACLs), but we might need some caching. 
A first guess is to store the each backend's matching limit in the 
connection (as soon as a backend is searched, rather than in advance),
and disregard them as soon as a rebind is made.

I think we need to see what's their impact on the load.

Pierangelo.

Next by Date: Re: Netscape SLAPI -- IBM contribution to OpenLDAP
Index(es):
- Chronological
- Thread