Re: acl based sizelimit directive

[Pierangelo Masarati <ando@sys-net.it>]

Quanah Gibson-Mount wrote:

> Quoting Mark Hendricks <Mark.Hendricks@humboldt.edu>:
>
>  
>
> > Hello,
> >
> > I am running openldap-2.1.3.0.
> > I have used the sizelimit directive to limit the number of returns.
> >
> > I like this feature and want to keep it, however I have some
> > users/applications that need to access the entire directory.
> >
> > I would like to give them read only access to the entire directory with
> > no sizelimit.
> >
> > I have seen posts indicating that it is possible to do this but no
> > examples.
> >    
>
> This is the 2.2 version for a group.  Note that 2.1 doesn't support group
> based limits.
>
> limits group="cn=ldapadmin,cn=applications,dc=stanford,dc=edu" time.soft=-1
> time.hard=-1 size.soft=- 1 size.hard=-1
>
>
> This is the 2.2 version for an exact dn (user).  It may be slightly
> different for 2.1.
>
> limits dn.exact="cn=athletics,cn=service,cn=applications,dc=stanford,dc=edu"
> time.soft=-1 time.hard=-1 size.soft=-1 size.hard=-1
>  
Small differences; in 2.2 the following should be equivalent to what you 
posted:

limits dn.exact="cn=athletics,cn=service,cn=applications,dc=stanford,dc=edu"
   time=unlimited size=unlimited

i.e. the keyword "unlimited" is favored over -1 because only legal numerical values should be supplied, and whether "unlimited" is internally mapped to -1 or to any other value is implementation dependent and might change over time.  If the limit is non qualified (i.e. no "soft" or "hard" specification) it applies to both.  I think this is he same for 2.1, but I didn't check.

Ciao, p.




   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497