On Wednesday 29 August 2007 18:36, Pierangelo Masarati wrote:
>> pcache currently cache the results of search that hit server- or
>> clientside size- or timelimits. That means that subsequent search will
>> get the (incomplete) results from the cache. I guess pcache should only
>> cache operations that returned LDAP_SUCCESS.
> Makes sense...
Well, I agree for timelimit, but sizelimit might be questionable. In
fact, the only reason not to cache searches ending in sizelimit exceeded
is that the size limit may depend on the client's identity. But this is
true in general also for access to entries and to entry data, but we
don't cache based on the identity of the client, so data cached with one
identity (set A) might differ from data that would be returned by
another identity for the very same search (set B), and both the relative
complement of A in B and of B in A may be not empty. So, if we accept
this for ACLs (no differences between the results returned for requests
with different identities) I don't see why we should differentiate with
respect to the size limit.
But a malicous client can then just send requests with sizelimit 1. Those
query will get cached and the database is of no real use anymore (IMO).