[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Regex-based per op_ndn time/size limits

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: Regex-based per op_ndn time/size limits
From: Pierangelo Masarati <masarati@aero.polimi.it>
Date: Wed, 01 Aug 2001 10:32:38 +0200
Cc: openldap-devel@OpenLDAP.org
Organization: Dipartimento di Ingegneria Aerospaziale
References: <200107280934.f6S9Y9R12713@server.aero.polimi.it> <5.1.0.14.0.20010731114236.00b0e528@127.0.0.1>

"Kurt D. Zeilenga" wrote:

> yes.   What I suggest is adding a "to be checked"
> limit.  That is, if the indexing system (commonly due
> to lack of appropriate indexes) returns too long of a
> list, then the search immediately (without checking or
> returning any entry) completes with unwillingToPerform.
>
> I note for time/size (and other) limits, separate
> soft and hard limits would be nice.  That is, if
> the size limits were 500 soft, 1000, hard, the limit
> would be limited to 500 entries unless they request
> a specific limit.  If that limit exceeds the hard
> limit, unwillingToPerform would be immediately
> returned.

I submitted a change in this direction. Now the limits
(global, per backend and per op_ndn) are:
- soft: if no limit is requested, this is used as in the
original slapd.
- hard: if this is set (default is not), if a limit is
requested and it is larger that the hard limit, the
search retursn unwillingToPerform; if it is 0
(the default) the original behavior results,
that is the soft limit is silently used instead of the
required one; if it is set to -1, no hard limit is enforced,
and the requested limit is honored.

These two apply both to time and size.

- unchecked: if this is set (default is not), if the number
of candidates exceedes the limit, unwillingToPerform
is issued.

These facilities, coupled to the per op_ndn limit selection,
shoul help in tailoring installations in case of heavy load:
the to-be-checked feature drops malformed searches on
badly indexed attribs, the hard limit feature drops malformed
searches expecting too many results; the per op_ndn allows
authenticated people to do heavy duty work under strict
administrative control.

I did my best to preserve the original behavior and
backwards compatible syntax. If one uses

sizelimit    <integer>
timelimit    <integer>

the traditional behavior is preserved (please notify any
inconvenience!). The new behavior is obtained by using

timelimit    time[.{soft|hard}]=<integer>
sizelimit    size[.{soft|hard|unchecked}]=<integer>

the per op_ndn behavior is obtained by using (inside
a backend):

limits    [dn[.{regex|exact}]=]<dn pattern> <limit> [...]

with <dn pattern> represented by a dn in case of "exact"
match and a case-insensitive, extended regex pattern
in case of "regex" match (the default), <and <limit>:

time[.{soft|hard}]=<integer>
size[.{soft|hard|unchecked}]=<integer>

Enjoy!

Pierangelo.

--
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati

Next by Date: LDAP and paging: RFC 2696
Index(es):
- Chronological
- Thread