[Date Prev][Date Next]
Re: OpenLDAP goes too deep with regex's (ITS#2174)
> This is correct. Now, lets look at the fact that I have the following
> K5 Principals:
> Since krb5PrincipalName is a single-valued attribute, I cannot represent
> all 3 of these in the basic K5 schema. So, we also have suKrb5Name.
> So, my person entry could contain:
> So, depending on which TGT I bind as, I am still only going to ever get
> EXACTLY ONE entry. But, it should STOP searching when it gets that ONE
> entry. Instead it keeps searching. :)
I understand your point very well, but this doesn't change
the situation at all: this is correct for you, because you
designed your directory in a clever way, but in principle
might not be. If there'd ever be a situation where to stop
at first match is not the right choice, well, then you met it.
What you'd need in your special clever case is to have a
sizelimit of 1; unfortunately there's no way to enforce
a sizelimit via search URI (at least to my knowledge :).
One solution would be to implement a custom extension like
"x-sizelimit=<n>" (and, of course, "x-timelimit=<n>"); this
could be a good solution since in case the sizelimit is
exceeded you get an immediate return.
If the idea sounds good then feel free to submit a patch :)