On Wednesday 29 August 2007 18:36, Pierangelo Masarati wrote:
hyc@symas.com wrote:
pcache currently cache the results of search that hit server- or clientside size- or timelimits. That means that subsequent search will get the (incomplete) results from the cache. I guess pcache should only cache operations that returned LDAP_SUCCESS.
Makes sense...
Well, I agree for timelimit, but sizelimit might be questionable. In fact, the only reason not to cache searches ending in sizelimit exceeded is that the size limit may depend on the client's identity. But this is true in general also for access to entries and to entry data, but we don't cache based on the identity of the client, so data cached with one identity (set A) might differ from data that would be returned by another identity for the very same search (set B), and both the relative complement of A in B and of B in A may be not empty. So, if we accept this for ACLs (no differences between the results returned for requests with different identities) I don't see why we should differentiate with respect to the size limit.
But a malicous client can then just send requests with sizelimit 1. Those query will get cached and the database is of no real use anymore (IMO).
-
rhafer@suse.de