[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4316) proxycache attrsets

Pierangelo Masarati wrote:
>> Full_Name: Howard Chu
>> Version: 2.3
>> OS:
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (
>> Submitted by: hyc
>> The Admin Guide example
>> http://www.openldap.org/doc/admin23/proxycache.html
>> indicates that an attrset will be used if it is a superset of the
>> attributes
>> present in a particular search query. However, the get_attr_set/attrscmp
>> functions will only match a set if it is exactly equal to the attrs in the
>> query. The documented behavior would certainly be more useful.
> I think this has been suggested many times (I'll dig in the archives) but
> AFAIR there was some technical answer which I don't recall that prevented
> it.
Actually, if you notice the find_supersets() function in the code, the 
design was intended to behave as documented. It is simply broken.

>> It would make even more sense to always use all the attrs in the attrset
>> on the
>> remote query, so that they'll all be in the cache, regardless of what
>> subsets of
>> the attrset are used in a specific query.
> Don't forget access control issues; I think by playing with attrsets they
> can be limited, e.g. by only caching public searches or so.  In any case,
> I'd leave the possibility to define attrsets.

I really don't see that allowing subsets of attrsets to work as desired 
has any impact on the overall access control policies.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/