The better way would be to change limits.c...we've seen a few requests for this over time...
Your workaround sounds plausible. I'd consider using a back-ldap on the limited server that proxies to the unlimited server.
The sizelimit directive is marked ARG_MAY_DB. So one workaround that may or may not work for your situation (or at all, this is off the top of my head) is:
database hdb suffix "dc=unlimited,dc=com" access to * by peername.ip="1.2.3.4" read
database relay suffix "dc=limited,dc=com" relay "dc=unlimited,dc=com" sizelimit 500 access to * by * read
and then you could configure different suffix for different limits, but serve "the same" data. back-relay should be lighter than two slapd with back-ldap.
On Thu, 12 Jun 2008, Bill MacAllister wrote:
We have an application that can only bind to the directory anonymously and needs to be able to exceed our query size limit. The queries will come from a small set of IP addresses. What we want to do is to set the query size limit by source ip address.
One way that I can see to do this is to run two slapd servers with different -h switches specified on the slapd startup so that each server will bind to a different interface:port. Then we can restrict access to the unlimited-size-query server using ip tables. What would be really nice is if the two configurations could specify the same backend databases. Has anyone done this? Should this work? Is there a better way to do this?
Bill
-- Bill MacAllister whm@stanford.edu Systems Programmer, ITS Unix Systems, Stanford University