--On Monday, March 08, 2004 1:00 PM +0100 Pierangelo Masarati <ando@sys-net.it> wrote:
I'm considering the opportunity to move the search limits selection/interpretation to the frontend, so they are consistently used by all backends. As such, the selected structure with the appropriate limits, and their interpretation in terms of usual search limits, should be added to the req_search_s structure.
Moreover, I was considering the possibility to exploit the limits infrastructure to set identity based limitations to other operations, to provide a higher (and earlier) selection of access in cooperation with ACLs. E.g.: limit write operations before the backend's function is even called, or limit the possibility to use some control (for proxyAuthz we already have the saslAuthz{To|From} method, for paged results we already have some specific limits on the size of the page and so, but the approach could be of general use. We could also think to create something analogous to ACIs, e.g. limits inside the data (maybe the idea is not new, and I'm reinventing the wheel; in case, forgive me).
Ando,
I like the idea (in fact, when I originally put the limits directive in, I put it outside of the DB block, thinking that it would apply to everything).
that's what it does: limits outside the DB block apply to all databases; what I'm talking about won't change the behavior of the code, but limit code duplication, provide an earlier limit evaulation and also make the mechanism available to other functions as well (limits are set and available per-operation, not inside searches only)
I also think the idea of expanding what limits you can place sounds good.
A conversation I had a while back with Howard (and Kurt?) was the idea of making it so that your ACL piece was a separate file (like slapdacl <path/file>). You could then have slapd check the freshness of that file periodically (every hour? 5 minutes? configurable?), and re-evaluate its ACL's. That would allow you to update your ACL's without stopping/starting slapd. With the structure of our ACL's, I find it unlikely we'll be using ACI's.
Sounds interesting. However, if we can change ACLs and other stuff run-time, I like the idea of having them in the DB, or at least to be able to access them via LDAP protocol. It sounds like something that should impact back-monitor or back-config...
p.
-- Dr. Pierangelo Masarati mailto:pierangelo.masarati@sys-net.it LDAP Architect, SysNet s.n.c. http://www.sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497