[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: limits

--On Monday, March 08, 2004 1:00 PM +0100 Pierangelo Masarati <ando@sys-net.it> wrote:

I'm considering the opportunity to move the search limits
selection/interpretation to the frontend, so they are
consistently used by all backends.  As such, the selected
structure with the appropriate limits, and their
interpretation in terms of usual search limits, should
be added to the req_search_s structure.

Moreover, I was considering the possibility to exploit
the limits infrastructure to set identity based limitations
to other operations, to provide a higher (and earlier)
selection of access in cooperation with ACLs.  E.g.:
limit write operations before the backend's function is
even called, or limit the possibility to use some control
(for proxyAuthz we already have the saslAuthz{To|From}
method, for paged results we already have some specific
limits on the size of the page and so, but the approach
could be of general use.  We could also think to create
something analogous to ACIs, e.g. limits inside the data
(maybe the idea is not new, and I'm reinventing the wheel;
in case, forgive me).


I like the idea (in fact, when I originally put the limits directive in, I put it outside of the DB block, thinking that it would apply to everything). I also think the idea of expanding what limits you can place sounds good.

A conversation I had a while back with Howard (and Kurt?) was the idea of making it so that your ACL piece was a separate file (like slapdacl <path/file>). You could then have slapd check the freshness of that file periodically (every hour? 5 minutes? configurable?), and re-evaluate its ACL's. That would allow you to update your ACL's without stopping/starting slapd. With the structure of our ACL's, I find it unlikely we'll be using ACI's.


-- Quanah Gibson-Mount Principal Software Developer ITSS/TSS/Computing Systems ITSS/TSS/Infrastructure Operations Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html