[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3510) ACL evaluation short-circuit would be nice

At 10:33 PM 1/23/2005, lukeh@padl.com wrote:
>Full_Name: Luke Howard
>Version: 2.2.22
>OS: Linux
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (
>Perhaps ACL evaluation could be short-circuited for "access to *".
>Given a simple ACL configuration of:
>access to *
>    by users read
>    by * none
>on a heavily loaded machine, a search for "(objectClass=*)" takes a few seconds
>to return as each entry is checked against the ACL rule.
>It would be nice if an anonymous client could not consume server resources so

In HEAD, with -DSLAP_ACL_HONOR_DISCLOSE, the client is
required to have "search" on baseObject entry...