andrew.findlay@skills-1st.co.uk wrote:
On Thu, Nov 20, 2008 at 02:43:22PM +0000, kkalev@gmail.com wrote:
In the manpage for slapd.conf (slapd.conf.5) in the limits directive description the value for the size.unchecked pattern should be disabled and not disable according to limits.c
Well spotted!
I am curious about why this feature was added. The man page says:
If it is set to disable, the search is not even performed; this can be used to disallow searches for a specific set of users.
Disallowing searches seems more like an ACL job than a limit job to me, so I did not mention this when writing up the Limits features for the Admin Guide.
Does anyone actually use unchecked=disabled and if so, why?
ACLs act too late, after the search has been performed; this acts at the candidate selection level, and with similar granularity in terms of identity the request is performed as. Now, search access to the searchBase is checked, so a search can be stopped even earlier. This was not requested when this limits feature was introduced.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
-
ando@sys-net.it