[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SLAPD: Should access checks take place before filter matching?

On Thursday, June 21, 2001, at 07:25 PM, Kurt D. Zeilenga wrote:

At 08:58 AM 6/21/2001, Simon Spero wrote:
During the course of testing some other stuff I noticed that several functions in filter_entry check acl info before they test to see if the filter matches.

In our ACM, one must have search permission to evaluate a filter
and read permission to return the entry. Search is dependent
on the filter and checked during filter evaluation. Read
permissions apply only to matching entries.

The set of results returned by an implementation that checks access before checking the filter, and the set returned by one that checks the filter before evaluating the access control are precisely identical. Any difference in semantics must therefore operational - preventing the consumption of resources during the search.

In the current implementation, lack of search permissions are not checked until the search is almost complete - after the candidate entry has already been retrieved. Even the simplest access control checks is much slower than the filter match, it's much better to eliminate filter non-matches first.