This patch is applicable to OpenLDAP 2.1.22, but it MAY be applicable to the current snapshots. It allows turning on/off the caching of Group ACL evaluations, to force group ACL evaluation every time. In my particular setup, the side effect from the caching that the ACL would be "frozen" at its initial evaluation and never refreshed posed a problem. The performance hit was acceptable, in exchange for the added security consistency. YMMV, and use only when 100% necessary according to your particular setups. So I came up with this config option to allow startup-time selection of behavior. The default is "on" , to match the same behavior as if the patch were not present. Best -- =========================================================== * Diego Rivera * * * * "The Disease: Windows, the cure: Linux" * * * * E-mail: lrivera<AT>racsa<DOT>co<DOT>cr * * Replace: <AT>='@', <DOT>='.' * * * * GPG: BE59 5469 C696 C80D FF5C 5926 0B36 F8FF DA98 62AD * * GPG Public Key avaliable at: http://pgp.mit.edu * ===========================================================
Attachment:
openldap-2.1.22-enable_cache_groupacl.patch.bz2
Description: application/bzip
Attachment:
signature.asc
Description: This is a digitally signed message part