[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: limits

To: <jongchoi@OpenLDAP.org>
Subject: Re: limits
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Tue, 9 Mar 2004 00:54:07 +0100 (CET)
Cc: <openldap-devel@OpenLDAP.org>
Importance: Normal
In-reply-to: <002801c40566$8cc8a7e0$e0da0209@core>
References: <404C6046.6080706@sys-net.it> <002801c40566$8cc8a7e0$e0da0209@core>

> The limit code in the frontend needs also to be run before calling
> backend operations internally.
> How about having a utilify function to set the operation limits ?
> instead of duplicating codes ?

I already moved the code into do_search(); we could make
a be_search() where to put limits and delegate the actual
call to be->be_search to it.  I think the backend selection
should not be there.  Note that usually internal searches
are likely to be run with special privileges, but to be
general I guess limits could apply to them.

If we plan to move limits to other operations, the
infrastructure needs a further level of generalization;
but first we should make clear what is worth limiting,
or at least to design what types of parameters should
be limited.  For searches we already have a reasonable
set: soft/hard size/time, candidates, page size; since
there are no other bulk operations in LDAP, I don't
actually see anything we could do better than with ACLs.
The only advantage of using limits istead of ACLs is
that operation denial occurs a bit earlier, based on
the identity of the issuer, with no knowledge of the
values or types the restriction applies to.

Right now, I feel fine with search limits in the
front-end, possibly wrapping calls to be->be_search(),
but I'd like to know if anybody thinks there is room
for more applications.

Ando.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

References:
- limits
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: limits
  - From: "Jong" <jongchoi@OpenLDAP.org>

Prev by Date: Re: limits
Next by Date: Announceing rmwd
Index(es):
- Chronological
- Thread