[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5821) Small mistake in man page

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5821) Small mistake in man page
From: ando@sys-net.it
Date: Sat, 22 Nov 2008 09:15:31 GMT

andrew.findlay@skills-1st.co.uk wrote:
> On Thu, Nov 20, 2008 at 02:43:22PM +0000, kkalev@gmail.com wrote:
> 
>> In the manpage for slapd.conf (slapd.conf.5) in the limits directive description
>> the value for the size.unchecked pattern should be disabled and not disable
>> according to limits.c
> 
> Well spotted!
> 
> I am curious about why this feature was added. The man page says:
> 
> 	If it is set to disable, the search is not even performed; this
> 	can be used to disallow searches for  a specific  set of users.
> 
> Disallowing searches seems more like an ACL job than a limit job
> to me, so I did not mention this when writing up the Limits features
> for the Admin Guide.
> 
> Does anyone actually use unchecked=disabled and if so, why?

ACLs act too late, after the search has been performed; this acts at the 
candidate selection level, and with similar granularity in terms of 
identity the request is performed as.  Now, search access to the 
searchBase is checked, so a search can be stopped even earlier.  This 
was not requested when this limits feature was introduced.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Prev by Date: Re: ldap_domain2hostlist is for "ldap" service only
Next by Date: Re: ldap_domain2hostlist is for "ldap" service only
Index(es):
- Chronological
- Thread