[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: limits

To: Quanah Gibson-Mount <quanah@stanford.edu>
Subject: Re: limits
From: Pierangelo Masarati <ando@sys-net.it>
Date: Mon, 08 Mar 2004 18:38:37 +0100
Cc: openldap-devel@OpenLDAP.org
Organization: SysNet
References: <404C6046.6080706@sys-net.it> <859179805.1078738407@cadabra.stanford.edu>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Quanah Gibson-Mount wrote:

--On Monday, March 08, 2004 1:00 PM +0100 Pierangelo Masarati <ando@sys-net.it> wrote:

I'm considering the opportunity to move the search limits
selection/interpretation to the frontend, so they are
consistently used by all backends.  As such, the selected
structure with the appropriate limits, and their
interpretation in terms of usual search limits, should
be added to the req_search_s structure.

Moreover, I was considering the possibility to exploit
the limits infrastructure to set identity based limitations
to other operations, to provide a higher (and earlier)
selection of access in cooperation with ACLs.  E.g.:
limit write operations before the backend's function is
even called, or limit the possibility to use some control
(for proxyAuthz we already have the saslAuthz{To|From}
method, for paged results we already have some specific
limits on the size of the page and so, but the approach
could be of general use.  We could also think to create
something analogous to ACIs, e.g. limits inside the data
(maybe the idea is not new, and I'm reinventing the wheel;
in case, forgive me).

Ando,

I like the idea (in fact, when I originally put the limits directive in, I put it outside of the DB block, thinking that it would apply to everything).


that's what it does: limits outside the DB block
apply to all databases; what I'm talking about
won't change the behavior of the code, but limit
code duplication, provide an earlier limit
evaulation and also make the mechanism available
to other functions as well (limits are set and
available per-operation, not inside searches only)

I also think the idea of expanding what limits you can place sounds good.

A conversation I had a while back with Howard (and Kurt?) was the idea of making it so that your ACL piece was a separate file (like slapdacl <path/file>). You could then have slapd check the freshness of that file periodically (every hour? 5 minutes? configurable?), and re-evaluate its ACL's. That would allow you to update your ACL's without stopping/starting slapd. With the structure of our ACL's, I find it unlikely we'll be using ACI's.


Sounds interesting.  However, if we can change ACLs
and other stuff run-time, I like the idea of having
them in the DB, or at least to be able to access
them via LDAP protocol.  It sounds like something
that should impact back-monitor or back-config...

p.

--
Dr. Pierangelo Masarati         mailto:pierangelo.masarati@sys-net.it
LDAP Architect, SysNet s.n.c.   http://www.sys-net.it

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- limits
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: limits
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: limits
Next by Date: overlay and failover
Index(es):
- Chronological
- Thread