[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Limits on anonymous binds

To: Mark Adamson <adamson@andrew.cmu.edu>
Subject: Re: Limits on anonymous binds
From: Pierangelo Masarati <masarati@aero.polimi.it>
Date: Wed, 21 Nov 2001 18:56:02 +0100
Cc: openldap-devel@OpenLDAP.org
Organization: Dipartimento di Ingegneria Aerospaziale
References: <Pine.GSO.4.33L-022.0111211208250.9153-100000@nil.andrew.cmu.edu>

Mark Adamson wrote:
> 
> I was just speaking briefly with Pierangelo Masarati about how to set
> search limits on anonymous binds to slapd. The topic seems to have never
> been resolved, so I'd like to reopen it with a suggestion.  Our mail
> clients here at CMU like to bind anonymously to the LDAP server and do
> expansive searches like "cn=*rs*", which can take forever since the
> substring is shorter than the min substring length.
> 
> I'd just like to be able to define a way to set limits in slapd, without
> touching on anything like what string should be applied as the DN of an
> anonymous bind (e.g. cn=anonymous).  I'd like for the slapd.conf file to
> have one of the following two possibilities:
> 
> limits dn.exact=anonymous <limit>
> 
>   -or-
> 
> limits dn.anonymous  <limit>
> 
> Then if anyone connects and binds anonymously, these limits would apply
> instead of the default limits. get_limits() would still receive the
> parameter  ndn=NULL or ndn="".  It's not much coding in limits.c, I'd just
> to get a feel for what people think of the syntax.

I feel comfortable with both (maybe I prefer the second one).

I note that the present behavior requires one to explicitly
set a target dn when setting a limit, otherwise (non-matching
dn including anonymous) default limits are used.

The proposed change would make anonymous a special case; this 
means we need to explicitly keep track of anonymous limits.

The behavior of the suggested syntax can be reproduced by using
the anonymous limits as default, and by setting non-anonymous 
limits for dn=".+"; this is not much intuitive.

The proposed change would alter what is the usual behavior, in 
that default limits would apply to everybody not explicitly 
limited, except for anonymous.

What should happen if no anonymous limits are set? use default?

My suggestion is first to make clear what default means to the
average user (what's its more intuitive definition) and whom 
the usual, old style limits should apply to: default or 
anonymous.

Pierangelo.

-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati

Follow-Ups:
- Re: Limits on anonymous binds
  - From: Mark Adamson <adamson@andrew.cmu.edu>

References:
- Limits on anonymous binds
  - From: Mark Adamson <adamson@andrew.cmu.edu>

Prev by Date: Limits on anonymous binds
Next by Date: Re: Limits on anonymous binds
Index(es):
- Chronological
- Thread