Alex Karasulu wrote:
On Mon, Jun 13, 2011 at 5:39 PM, Emmanuel Lecharny<[email protected]> wrote:
Alias cycle detection
---------------------
There is an unsolved question about how we should detect Alias cycles. Right
now, we check for cycles *before* they are created. The alternative would be
to stop any search that could lead to an infinite loop.
That would slow down reads. The best is to stop this from happening
with write operations: meaning doing the computation to detect and
prevent the cycle then and there instead of exhausting the search
process to deal with such wicked constructs.
You may be being over-paranoid here. First a client has to explicitly request
alias dereferencing and most of them don't by default, so in general reads
will be unaffected. Also the DB operations required to detect a cycle at write
time are the kinds of things you would already be performing efficiently in a
search. Doing them at search time is far better from a concurrency perspective
because you're only doing read operations inside a reader transaction, and
nothing touched inside the DB needs to stay locked for long. If you're doing
these searches during a write operation then you're going to accumulate huge
numbers of locks that must be held until the write transaction commits.
A third - but unrealistic - solution would be to don't detect cycle, and
process the search until we reach the time or size limit (in other words,
it's up to the admin to avoid the creation of such cycle; Highly
dangerous…).
Agreed - really dangerous.
The problem with the first approach is that we can't anymore pass the VSLDAP
tests. It's a major burden. Also most of the current servers support this
feature.
Is there a VSLDAP test that allows for alias cycle creation? If so we
should be able to bring this up with the Open Group. This is
definitely a gray area in the protocol but it makes little sense to
create alias cycles. Alias chaining on the other hand is a different
story.
Since alias dereferencing is not implicit, it makes no sense to prohibit
creation of alias cycles. I.e., they're otherwise just plain LDAP entries and
if they still obey the schema then you don't have much justification for
rejecting them.
So let me ask once again since I know little about the VSLDAP tests:
do they allow alias chaining or alias loops? The two would be
different.
Alex
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
