[Date Prev][Date Next]
Re: Access control based on attribute of binded user ?
- To: Mads Freek <email@example.com>
- Subject: Re: Access control based on attribute of binded user ?
- From: Pierangelo Masarati <firstname.lastname@example.org>
- Date: Mon, 13 Aug 2001 12:29:52 +0200
- Cc: OpenLDAP-software <OpenLDAP-software@OpenLDAP.org>
- Organization: SysNet
- References: <B79D75CE.108Cemail@example.com>
Mads Freek wrote:
> on 8/13/01 11:56 AM, Pierangelo Masarati at firstname.lastname@example.org wrote:
> > However, it looks like evaluating this sort of ACLs would
> > be costly in terms of time. In this case, as well as in
> > case of other costly acl evaluations, maybe we might
> Why would it be costly to apply a filter against one binded user?
When a user is successfully bound, its dn is stored
in the operation structure. The ACL check is performed
against this dn, there's no knowledge of the entry
of a bound user.
In the current implementation of the ACL checks, the
rule you depicted would require the fetching of the
entry of the bound dn each time the <what> clause
is to be checked. On the contrary, if we pool the
ACL checks, we can fetch the entry once and apply the
rule once, them each time the <what> clause is matched
we already know if the bound dn matches. The operation
is still costly if the rule is evaluated once per
operation, but it is somehow optimized in case multiple
entries result from the search.
Dr. Pierangelo Masarati mailto:email@example.com
Developer, SysNet s.n.c. http://www.sys-net.it