[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control based on attribute of binded user ?

To: Mads Freek <freek@ruc.dk>
Subject: Re: Access control based on attribute of binded user ?
From: Pierangelo Masarati <pmasarati@bci.it>
Date: Mon, 13 Aug 2001 12:29:52 +0200
Cc: OpenLDAP-software <OpenLDAP-software@OpenLDAP.org>
Organization: SysNet
References: <B79D75CE.108C%freek@ruc.dk>

Mads Freek wrote:
> 
> on 8/13/01 11:56 AM, Pierangelo Masarati at pmasarati@bci.it wrote:
> > However, it looks like evaluating this sort of ACLs would
> > be costly in terms of time. In this case, as well as in
> > case of other costly acl evaluations, maybe we might
> 
> Why would it be costly to apply a filter against one binded user?

When a user is successfully bound, its dn is stored 
in the operation structure. The ACL check is performed
against this dn, there's no knowledge of the entry
of a bound user.
In the current implementation of the ACL checks, the
rule you depicted would require the fetching of the 
entry of the bound dn each time the <what> clause
is to be checked. On the contrary, if we pool the 
ACL checks, we can fetch the entry once and apply the
rule once, them each time the <what> clause is matched
we already know if the bound dn matches. The operation 
is still costly if the rule is evaluated once per 
operation, but it is somehow optimized in case multiple
entries result from the search.

Pierangelo.

-- 
Dr. Pierangelo Masarati    mailto:ando@sys-net.it
Developer, SysNet s.n.c.   http://www.sys-net.it

Prev by Date: Re: Access control based on attribute of binded user ?
Next by Date: ldif import
Index(es):
- Chronological
- Thread