Re: query result size limit by ip

[Aaron Richton <richton@nbcs.rutgers.edu>]

The better way would be to change limits.c...we've seen a few requests for 
this over time...

Your workaround sounds plausible. I'd consider using a back-ldap on the 
limited server that proxies to the unlimited server.

The sizelimit directive is marked ARG_MAY_DB. So one workaround that may 
or may not work for your situation (or at all, this is off the top of my 
head) is:

database hdb
suffix "dc=unlimited,dc=com"
access to * by peername.ip="1.2.3.4" read

database relay
suffix "dc=limited,dc=com"
relay "dc=unlimited,dc=com"
sizelimit 500
access to * by * read

and then you could configure different suffix for different limits, but 
serve "the same" data. back-relay should be lighter than two slapd with 
back-ldap.

On Thu, 12 Jun 2008, Bill MacAllister wrote:

> We have an application that can only bind to the directory anonymously and 
> needs to be able to exceed our query size limit.  The queries will come from 
> a small set of IP addresses.  What we want to do is to set the query size 
> limit by source ip address.
>
> One way that I can see to do this is to run two slapd servers with different 
> -h switches specified on the slapd startup so that each server will bind to a 
> different interface:port.  Then we can restrict access to the 
> unlimited-size-query server using ip tables.  What would be really nice is if 
> the two configurations could specify the same backend databases.  Has anyone 
> done this?  Should this work?  Is there a better way to do this?
>
> Bill
>
>
>
>
>
> --
> Bill MacAllister <whm@stanford.edu>
> Systems Programmer, ITS Unix Systems, Stanford University