[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: some thoughts on indexing (Was: Some openldap fixes... (fwd))



On Fri, 22 Sep 2000, Kurt D. Zeilenga wrote:

> At 10:52 AM 9/22/00 +0200, peter wrote:
> > I also plan to implement some additional administrative limits:
> >>       1) return error to client if number of candidates
> >>       exceeds a limit (before testing)
> >would break LDAP specs i think,..
> 
> No, a server is free to enforce arbitrary administrative limits.
> 
> >why though ?
> 
> To disallow operations which would tie up the server for huge
> amounts of time.

- I think this is a great idea. It's a feature that I've often 
wanted. In the years we've been running ldap in production we've
had more than a few inadvertant DOS attacks. As ldap gains more
and more visablity and becomes part of the authority infrastructure
features like this are a MUST in my humble opinion. At this point
we are so dependent on having the ldap server up that we've had
to close the ldap server to general access. 

- To add an additional wrinkle to the code it would be great if
this limit were some how linked to the indexing of the attribute.
(i.e. if the attribute is indexed for the kind of search you're
doing up the limit , if not lower it. ) I'm not sure how feasible
this is in practice or whether it even makes sense in the context
of this discussion. 

- Booker C. Bense