Re: Substring searches

[Pierangelo Masarati <masarati@aero.polimi.it>]

Jeremy Mortis wrote:
> 
> We are running a very large LDAP database, and I've noticed that
> substring searches less than 4 characters, e.g. cn=*ab*, result in a
> full scan of the database.  These can be limited with the timelimit, of
> course, but meanwhile the server gets bogged down.
> 
> What I'd like it to do is detect this in the filter parsing stage and
> either return an error message or transform it into a filter that
> quickly results in returning 0 entries.
> 
> Does anyone have any ideas of how this might be done, or any better
> ideas?

I have a patch that does exactly this (it applies to HEAD only).

http://www.sys-net.it/~ando/Download/filter-limits-2001-10-30.diff

I never committed it because after discussions it came out it
would have been of little use. Your mail seems to change things
a little. I can give you the patch; if you think it fits, then 
I'll commit it to HEAD code. It fits into a more general highly
granular limitation of the search operations that will probably
ship with 2.1. In servers/slapd/limits.c there's a comment saying
how to configure it. Basically you can decide to limit filter 
types to certain DNs in almost the same way you do with ACLs, 
but this check is done BEFORE the search is performed; e.g. you 
may allow ".*" to use only "pres" and "eq" filters, but not
"sub" or "approx". There's no such granularity to control the 
length of a substring, but it can be easily added if needed.

Pierangelo.

-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati