Re: ACL state & value dependent ACLs

[Pierangelo Masarati <ando@sys-net.it>]

On Thu, 2005-12-15 at 11:39 -0800, Quanah Gibson-Mount wrote:
> 
> --On Wednesday, December 14, 2005 12:42 AM +0100 Pierangelo Masarati 
> <ando@sys-net.it> wrote:
> 
> > I vote for disabling ACL state for value-dependent ACLs.
> 
> What is the overall effect of doing so?  Assuming of course that ACL 
> caching actually worked in 2.(2,3)...

As far as I understand, ACL state caching works like this: when an
attribute is accessed, slapd checks access to all its values; to do
this, the access_allowed() func is called once for each value.  If no
value-dependednt access rule is used, preserving the state saves the
<what> and <who> lookup after the first invocation.  I don't quite
understand how it's supposed to work when access rules are found that
depend on the value passed in.

In any case, for non-value dependent ACLs, state saving can be a
significant advantage when checking access to long arrays of values
(e.g. group members), so I'd go for this, reworking or, at worst,
discarding it for value-dependent cases.

p.




Ing. Pierangelo Masarati
Responsabile Open Solution

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------