[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SLAPD: Should access checks take place before filter matching?

To: openldap-devel@OpenLDAP.org
Subject: Re: SLAPD: Should access checks take place before filter matching?
From: Simon Spero <ses@tipper.oit.unc.edu>
Date: Fri, 22 Jun 2001 13:18:23 -0400
In-reply-to: <5.1.0.14.0.20010621160140.0306bb20@127.0.0.1>

On Thursday, June 21, 2001, at 07:25 PM, Kurt D. Zeilenga wrote:

At 08:58 AM 6/21/2001, Simon Spero wrote:

During the course of testing some other stuff I noticed that several functions in filter_entry check acl info before they test to see if the filter matches.

In our ACM, one must have search permission to evaluate a filter
and read permission to return the entry. Search is dependent
on the filter and checked during filter evaluation. Read
permissions apply only to matching entries.

The set of results returned by an implementation that checks access before checking the filter, and the set returned by one that checks the filter before evaluating the access control are precisely identical. Any difference in semantics must therefore operational - preventing the consumption of resources during the search.

In the current implementation, lack of search permissions are not checked until the search is almost complete - after the candidate entry has already been retrieved. Even the simplest access control checks is much slower than the filter match, it's much better to eliminate filter non-matches first.

Simon

Follow-Ups:
- Re: SLAPD: Should access checks take place before filter matching?
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: SLAPD: Should access checks take place before filter matching?
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Platforms supported?
Next by Date: Performance issue related to implementation of slap_op_add
Index(es):
- Chronological
- Thread