Re: dynamic groups
by Michał Szulczyński
Howard Chu wrote:
> One last question that may need an answer:
> what groups does user X belong to?
>
> Obviously you need to perform a search to determine this. And with the current
> indexing mechanisms, dynamic groups will fail to be matched since they don't
> actually contain an indexed static member list. If this is the question you're
> trying to answer, the solution is simply to maintain a list of dynamic group
> objects (as your current code already does) but not to populate them. Instead,
> just use a search response callback and see if "member" is a part of the
> filter. If it is, iterate through the dynamic groups and test the entry whose
> DN is in the filter assertion against all of the dynamic group filters. This
> solution will use far less memory than your approach, and it will run
> efficiently for just about all use cases.
This was actually the first idea we thought of, we concluded that it
would slow the search down, because then the algorithmic complexity of
the search would be O(n), with n as the number of dynamic groups. We
think this would be somewhat against the idea of LDAP directories, where
the number of search operations far outweigh the number of updates. It
is a trade-off between update speed and search speed, but we think that
the search speed is essential, and the update operations are not our
primary concern speed-wise.
--
Michał Szulczyński
Praktykant
Altkom Akademia S.A. http://www.altkom.pl
Warszawa, ul. Chłodna 51
kom. +48 603-338-373
Sąd Rejonowy dla m.st. Warszawy w Warszawie, XII Wydział Gospodarczy Krajowego Rejestru Sądowego,
KRS: 0000120139, NIP 118-00-08-391, Kapitał zakładowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa.
Niniejsza wiadomość zawiera informacje zastrzeżone i stanowiące tajemnicę przedsiębiorstwa firmy Altkom Akademia S.A.
Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do własnych celów jest zabronione.
Jeżeli otrzymaliście Państwo niniejszą wiadomość omyłkowo, prosimy o niezwłoczne skontaktowanie się z nadawcą oraz usunięcie wszelkich kopii niniejszej wiadomości.
This message contains proprietary information and trade secrets of Altkom Akademia S.A. company.
Unauthorized use or disclosure of this information to any third party is prohibited.
If you received this message by mistake, please contact the sender immediately and delete all copies of this message.
15 years, 2 months
Re: imporvement to slapo-constraint (ITS#4987)
by Howard Chu
manu(a)netbsd.org wrote:
> Gavin Henry <ghenry(a)suretecsystems.com> wrote:
>
>> It would be best to move this dicussion to openldap-devel(a)openldap.org now.
>
> Let's go...
>
> Summarry: I've added a new feature to slapo-constraint for constraining
> a value attribute the the existing values of another attribute. The idea
> is that you can have a catalog of allowed values (eg: for titles: Mr,
> Mrs, Miss) and constraint an attribute to these values
>
> Before working further on this patch (style, dod), I'd like some feeback
> on:
> 1) the way it's implemented: is there rought bugs, or is the logic fine?
I haven't looked at the patch yet.
> 2) configuration syntax: do we keep this one or do we swtich to
> something else?
Something like
constraint-reference attr1 attr2
might be better.
For simple directives, it's better to use positional parameters and no tag words.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
15 years, 2 months
Trouble with Bind/overlays/callbacks
by Howard Chu
In slapd just about all of the operation handlers send their results from the
backend directly to the client. The notable exception is for the Bind
operation, which sends failures directly to the client, but has to return
successes to the frontend to allow final processing to occur there. This
difference causes a fair bit of complexity when writing Bind handlers in
backends and overlays.
In 2.3 we ran into other sequencing issues that could only be solved by moving
some of the Bind cleanup into a callback (connection_bind_cb). We have an
opportunity now to move all of the postprocessing into that callback, allowing
us to remove all special case handling of Binds in the backends and overlays.
Of course, making this change will touch every backend that handles Bind
operations. It may impact overlays that intercept Binds as well.
In particular, overlays that insert response callbacks on Bind operations can
potentially break in the current code. I.e., if an overlay inserts a callback
at the head of the stack (instead of at the end) then currently it will simply
not get called in the case of a successful Bind, because the overlay framework
tears down the callback stack before it returns to the frontend. If the
callback was inserted using malloc'd memory then it will cause a memory leak
as well.
I plan to file an ITS on this for RE24, not sure how soon I'll get to the
actual changes though.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
15 years, 2 months
Re: commit: ldap/doc/man/man5 slapd-meta.5
by Pierangelo Masarati
ando(a)OpenLDAP.org wrote:
> HEADS-UP: now the list of URIs is better set by using separate arguments
The new behavior should be the only documented one. It allows to get
rid of the long-lasting, quite annoying "tabs-separated URI list" issue.
The old syntax is fully recognized, but it should just be forgotten.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
15 years, 2 months
rfc45xx in RE23?
by Gavin Henry
Hi all,
Why don't we have any 45XX rfcs in doc/rfc/ ?
Thanks.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
15 years, 2 months
Fast Bind
by Gavin Henry
In our docs, should we use the term "Fast Bind", i.e. when a client
supplies a full DN and also a password, or is it misleading?
I've seen this referenced in other documentation and Cyrus SASL.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
15 years, 2 months
Re: commit: ldap/tests/data test.schema
by Pierangelo Masarati
ando(a)OpenLDAP.org wrote:
> Log Message:
> move test schema to "published OID arc" (under 1.3.6.1.4.1.4203.1.12.1)
Things should now be fixed in the OID repository as well.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
15 years, 3 months
Re: commit: ldap/servers/slapd/back-bdb idl.c
by Quanah Gibson-Mount
--On Tuesday, September 04, 2007 5:10 PM +0000 ando(a)OpenLDAP.org wrote:
> Update of /repo/OpenLDAP/pkg/ldap/servers/slapd/back-bdb
>
> Modified Files:
> Tag: OPENLDAP_REL_ENG_2_4
> idl.c 1.124.2.3 -> 1.124.2.4
>
> Log Message:
> import fix for ITS#5121
I've moved the tag for OPENLDAP_REL_ENG_2_4_5BETA to this version.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
15 years, 3 months
