[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3510) ACL evaluation short-circuit would be nice

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3510) ACL evaluation short-circuit would be nice
From: Kurt@OpenLDAP.org
Date: Mon, 24 Jan 2005 16:40:58 GMT

At 10:33 PM 1/23/2005, lukeh@padl.com wrote:
>Full_Name: Luke Howard
>Version: 2.2.22
>OS: Linux
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (203.13.32.92)
>
>
>Perhaps ACL evaluation could be short-circuited for "access to *".
>
>Given a simple ACL configuration of:
>
>access to *
>    by users read
>    by * none
>
>on a heavily loaded machine, a search for "(objectClass=*)" takes a few seconds
>to return as each entry is checked against the ACL rule.
>
>It would be nice if an anonymous client could not consume server resources so
>easily.

In HEAD, with -DSLAP_ACL_HONOR_DISCLOSE, the client is
required to have "search" on baseObject entry...

Kurt

Prev by Date: (ITS#3511) HEAD doesn't build overlay modules
Next by Date: (ITS#3512) LDAP Sync Replication stops after single server failure
Index(es):
- Chronological
- Thread