The better way would be to change limits.c...we've seen a few requests
for this over time...
Your workaround sounds plausible. I'd consider using a back-ldap on the
limited server that proxies to the unlimited server.
The sizelimit directive is marked ARG_MAY_DB. So one workaround that may
or may not work for your situation (or at all, this is off the top of my
head) is:
database hdb
suffix "dc=unlimited,dc=com"
access to * by peername.ip="1.2.3.4" read
database relay
suffix "dc=limited,dc=com"
relay "dc=unlimited,dc=com"
sizelimit 500
access to * by * read
and then you could configure different suffix for different limits, but
serve "the same" data. back-relay should be lighter than two slapd with
back-ldap.
On Thu, 12 Jun 2008, Bill MacAllister wrote:
We have an application that can only bind to the directory anonymously
and needs to be able to exceed our query size limit. The queries will
come from a small set of IP addresses. What we want to do is to set
the query size limit by source ip address.
One way that I can see to do this is to run two slapd servers with
different -h switches specified on the slapd startup so that each
server will bind to a different interface:port. Then we can restrict
access to the
unlimited-size-query server using ip tables. What would be really nice
is if the two configurations could specify the same backend databases.
Has anyone done this? Should this work? Is there a better way to do
this?
Bill
--
Bill MacAllister <whm@stanford.edu>
Systems Programmer, ITS Unix Systems, Stanford University