[EMAIL PROTECTED] wrote: > On Thu, Nov 20, 2008 at 02:43:22PM +0000, [EMAIL PROTECTED] wrote: > >> In the manpage for slapd.conf (slapd.conf.5) in the limits directive >> description >> the value for the size.unchecked pattern should be disabled and not disable >> according to limits.c > > Well spotted! > > I am curious about why this feature was added. The man page says: > > If it is set to disable, the search is not even performed; this > can be used to disallow searches for a specific set of users. > > Disallowing searches seems more like an ACL job than a limit job > to me, so I did not mention this when writing up the Limits features > for the Admin Guide. > > Does anyone actually use unchecked=disabled and if so, why?
ACLs act too late, after the search has been performed; this acts at the candidate selection level, and with similar granularity in terms of identity the request is performed as. Now, search access to the searchBase is checked, so a search can be stopped even earlier. This was not requested when this limits feature was introduced. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: [EMAIL PROTECTED] -----------------------------------
