Emmanuel Dreyfus wrote:
Michael Strödermichael@stroeder.com wrote:
Would be a nice feature for slapo-constraint. Maybe an additional <size> parameter limiting the number of bytes for BLOB attributes or number of character in case of character-based string syntaxes. And maybe a limit for the<number> of attribute values for multi-valued attributes.
I just had a look. the size constraint is trivial to implement. number is a bit more difficult.
If I understand correctly, constraint_violation() should perform an internal LDAP search for the constrained attribute, count the existing, and somehow keep a count of how many time constraint_violation() is called for a given attribute and a given operation.
I am not sure slapo-constraint is the right place.
I think it would be fine there for now. The 2.4 Attribute structure already maintains a counter for the number of values present. For an Add operation it's a no-brainer to enforce this constraint. For a Modify operation you will have to keep track of Add/Delete subops, but that's not too difficult.
Might be something to think about for OpenLDAP 3.0 - number constraints defined in the subschema, and different subschemas controlling different subtrees. Could simply extend the current config tree with a new "ScopedSchema" objectclass, containing schema elements that only pertain to specific branches, overlaid on top of the existing global schema. (It doesn't make sense to me to have to completely duplicate all the basic core schema everywhere you want to set up local customizations...)
Obviously the current schema allows advisory attribute size limits, which have historically been completely ignored by LDAP servers. It would be quite a change to introduce hard size limits here, and you'd also have to get agreement from the X.500 side too. (I'll note that back-ndb uses the attribute size limits in existing LDAP schema, and enforces them as hard limits.)