[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: PATCH: cache_groupacl {on|off}

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Quanah Gibson-Mount

> Hm... But in my experience of using static groups so far here
> at Stanford,
> is that the membership of a static group is not cached right now.  I
> routinely add new members to static groups, and they have
> access from that
> point on.  Or are you saying, a routine should be added to cache the
> membership, that only re-evaluates it when the
> modifyTimeStamp has changed?

Currently there is a cache maintained for each session of all the groups that
are referenced by an ACL. It means that any group is only checked once. If
you add a user to a group, and they aren't currently connected, then they
will of course have access the next time they connect. If they are connected
when you make the change, it's indeterminate whether they will get access in
that session.

> Also, if this route is going to be explored, why limit it to
> groups?  If
> the entry has changed since the server started, re-evaluate
> the ACL's.

Right. This is not an issue in 2.1.x since there is no session-based caching
of users' entry info. Dynamic groups in 2.2 use the same group cache as for
static groups though, and I already mentioned checking the user's
modifyTimeStamp. But all of that can be avoided.

> That would certainly drop the "restart slapd to re-evauluate
> your ACL's"
> bit.   I think that could be problematic at sites where changes to
> accessing entities (human or otherwise) are made frequently.

That's a separate issue. Changes to slapd.conf imply changes to the operating
environment that are limitless in scope. The change could be trivial, or it
could completely redefine all of the databases and all of the schema etc. and
there's no way to tell.

> As for the ACL's changing out from under a given bind, I
> don't like that
> idea, either... I think the environment of any given bind should stay
> consistent through it getting closed.

Right. That was my motivation in originally making the group ACL cache a
per-session item. But now I'm just about convinced that per-operation
consistency is better.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support