[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: PATCH: cache_groupacl {on|off}

To: openldap-devel@OpenLDAP.org
Subject: RE: PATCH: cache_groupacl {on|off}
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Sun, 19 Oct 2003 15:12:12 -0700
Content-disposition: inline
In-reply-to: <002f01c39664$c1315e80$e19d180a@CELLO>
References: <002f01c39664$c1315e80$e19d180a@CELLO>

--On Sunday, October 19, 2003 9:59 AM -0700 Howard Chu <hyc@highlandsun.com> wrote:

-----Original Message-----
From: owner-openldap-devel@OpenLDAP.org
[mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Quanah
Gibson-Mount

Hm... But in my experience of using static groups so far here
at Stanford,
is that the membership of a static group is not cached right now.  I
routinely add new members to static groups, and they have
access from that
point on.  Or are you saying, a routine should be added to cache the
membership, that only re-evaluates it when the
modifyTimeStamp has changed?


Currently there is a cache maintained for each session of all the groups
that are referenced by an ACL. It means that any group is only checked
once. If you add a user to a group, and they aren't currently connected,
then they will of course have access the next time they connect. If they
are connected when you make the change, it's indeterminate whether they
will get access in that session.


Ah, got ya.

That would certainly drop the "restart slapd to re-evauluate
your ACL's"
bit.   I think that could be problematic at sites where changes to
accessing entities (human or otherwise) are made frequently.


That's a separate issue. Changes to slapd.conf imply changes to the
operating environment that are limitless in scope. The change could be
trivial, or it could completely redefine all of the databases and all of
the schema etc. and there's no way to tell.

Hm... this is why we separate the ACL file completely from slapd.conf, and just use a #include to read it in. Would it be worth exploring an ACL-FILE directive in slapd.conf? It actually makes little sense to me that the ACL's are even a part of slapd.conf, instead of being treated separately. If such a directive existed, it would make this type of reevaluation possible.

As for the ACL's changing out from under a given bind, I
don't like that
idea, either... I think the environment of any given bind should stay
consistent through it getting closed.


Right. That was my motivation in originally making the group ACL cache a
per-session item. But now I'm just about convinced that per-operation
consistency is better.


Works for me. =)

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- RE: PATCH: cache_groupacl {on|off}
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: test script argument handling
Next by Date: Re: CertificateExactMatch for the ldap HEAD branch (ITS#2719/ITS#2771).
Index(es):
- Chronological
- Thread