[Date Prev][Date Next]
> The limit code in the frontend needs also to be run before calling
> backend operations internally.
> How about having a utilify function to set the operation limits ?
> instead of duplicating codes ?
I already moved the code into do_search(); we could make
a be_search() where to put limits and delegate the actual
call to be->be_search to it. I think the backend selection
should not be there. Note that usually internal searches
are likely to be run with special privileges, but to be
general I guess limits could apply to them.
If we plan to move limits to other operations, the
infrastructure needs a further level of generalization;
but first we should make clear what is worth limiting,
or at least to design what types of parameters should
be limited. For searches we already have a reasonable
set: soft/hard size/time, candidates, page size; since
there are no other bulk operations in LDAP, I don't
actually see anything we could do better than with ACLs.
The only advantage of using limits istead of ACLs is
that operation denial occurs a bit earlier, based on
the identity of the issuer, with no knowledge of the
values or types the restriction applies to.
Right now, I feel fine with search limits in the
front-end, possibly wrapping calls to be->be_search(),
but I'd like to know if anybody thinks there is room
for more applications.
- From: Pierangelo Masarati <firstname.lastname@example.org>
- Re: limits
- From: "Jong" <jongchoi@OpenLDAP.org>