Re: Another overlay question

["Pierangelo Masarati" <ando@sys-net.it>]

> Hi!
>
> As people might remember I'm working on a overlay that handles access
> control by using a external authorization service.
>
> Now, using a external authorization service is of course more costly
> than using the internal access control, so naturally I'd like to keep
> the number of calls down as much as I can.
>
> So in that context, why is it that if I issue a search *and* specify
> that I only want a certain set of attributes returned, my overlay still
> sees every attribute (not just the ones I asked for) that entries in
> the returnset contains ?

In principle, restricting the set of returned attributes to those actually
required is delegated to the frontend, while overlays lay between the
frontend and the backend.

Some of the backends return the entire entry to the frontend because it is
considered less expensive to apply a readlock to an existing entry rather
than to duplicate the requested portion of it.  Other backends (back-ldap
and partially back-sql, for instance) actually return only the requested
set of attribute, or little more.

You may safely ignore those attributes that are not requested (usually by
looking at rs->sr_attrs with ad_inlist(); remember to deal with
rs->sr_attrs == NULL and with the "*" and "+" special requests).
As an example, you may look at slap_send_search_entry() in
servers/slapd/result.c (a helper might be desirable, to avoid code
duplication and ease code reworking; patches welcome).

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497