[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#3510) ACL evaluation short-circuit would be nice
At 10:33 PM 1/23/2005, lukeh@padl.com wrote:
>Full_Name: Luke Howard
>Version: 2.2.22
>OS: Linux
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (203.13.32.92)
>
>
>Perhaps ACL evaluation could be short-circuited for "access to *".
>
>Given a simple ACL configuration of:
>
>access to *
> by users read
> by * none
>
>on a heavily loaded machine, a search for "(objectClass=*)" takes a few seconds
>to return as each entry is checked against the ACL rule.
>
>It would be nice if an anonymous client could not consume server resources so
>easily.
In HEAD, with -DSLAP_ACL_HONOR_DISCLOSE, the client is
required to have "search" on baseObject entry...
Kurt