[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: limits



Quanah Gibson-Mount wrote:


--On Monday, March 08, 2004 1:00 PM +0100 Pierangelo Masarati <ando@sys-net.it> wrote:

I'm considering the opportunity to move the search limits
selection/interpretation to the frontend, so they are
consistently used by all backends.  As such, the selected
structure with the appropriate limits, and their
interpretation in terms of usual search limits, should
be added to the req_search_s structure.

Moreover, I was considering the possibility to exploit
the limits infrastructure to set identity based limitations
to other operations, to provide a higher (and earlier)
selection of access in cooperation with ACLs.  E.g.:
limit write operations before the backend's function is
even called, or limit the possibility to use some control
(for proxyAuthz we already have the saslAuthz{To|From}
method, for paged results we already have some specific
limits on the size of the page and so, but the approach
could be of general use.  We could also think to create
something analogous to ACIs, e.g. limits inside the data
(maybe the idea is not new, and I'm reinventing the wheel;
in case, forgive me).


Ando,

I like the idea (in fact, when I originally put the limits directive in, I put it outside of the DB block, thinking that it would apply to everything).

that's what it does: limits outside the DB block apply to all databases; what I'm talking about won't change the behavior of the code, but limit code duplication, provide an earlier limit evaulation and also make the mechanism available to other functions as well (limits are set and available per-operation, not inside searches only)

I also think the idea of expanding what limits you can place sounds good.

A conversation I had a while back with Howard (and Kurt?) was the idea of making it so that your ACL piece was a separate file (like slapdacl <path/file>). You could then have slapd check the freshness of that file periodically (every hour? 5 minutes? configurable?), and re-evaluate its ACL's. That would allow you to update your ACL's without stopping/starting slapd. With the structure of our ACL's, I find it unlikely we'll be using ACI's.

Sounds interesting. However, if we can change ACLs and other stuff run-time, I like the idea of having them in the DB, or at least to be able to access them via LDAP protocol. It sounds like something that should impact back-monitor or back-config...

p.

--
Dr. Pierangelo Masarati         mailto:pierangelo.masarati@sys-net.it
LDAP Architect, SysNet s.n.c.   http://www.sys-net.it



   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497