RE: PATCH: cache_groupacl {on|off}

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Diego Rivera

> As for the rest of your points - all valid, of course.  But it's
> important to note that a better model might be to re-evaluate
> the group
> memberships using a conditional akin to this one:
>
> if ( ( groupEntry->timestamp != last_eval_timestamp ) &&
>      ( operation->id != last_eval_operation_id ) )
> {
> 	eval_group_permissions( groupEntry, binddn );
> }

> This allows "atomic" ('scuse the ill-chosen term :) )
> evaluation of the
> access rights: on a per-operation basis.
>
> It also allows runtime permissions to behave more like they do on
> databases - for example - where your permissions for a particular
> operation reflect what you're allowed to do at the time you start the
> operation.

Having thought about this some more, we can do this easily by moving the
group cache from being per-connection to being per-operation. Then there's no
need to check timestamps or operation ids, and this approach fixes some other
messy parts of the current implementation as well. (An operation can possibly
trigger sub-operations. If we kept the group cache where it is, but added a
compare of operation ids, we'd have to keep a long list in the connection
handle for all the outstanding operation ids. Very ugly.)

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support