[email protected] wrote: > On Thu, Apr 06, 2017 at 05:14:15PM +0200, Michael Str=C3=83=C2=B6der wr= ote: >> [email protected] wrote: >>> On Wed, Apr 05, 2017 at 04:14:12PM +0200, Michael Str=C3=84=E2=80=9A=C3= =85=E2=80=BAder wrote: >>>> =3D> There could be a slapd per-backend configuation directive to di= sallow it with a >>>> strong hint in the docs recommending to disallow it when using delta= -syncrepl. >>>> >>>> Suggestion: >>>> disallow mod_attr_repeated >>> >>> In my view, that's more pain than it's worth. >> >> Hmm, I think slapd should be able to disallow a crazy modify request l= ike this: >> >> dn: cn=3Dfoobar,dc=3Dexample,dc=3Dcom >> changetype: modify >> replace: description >> description: foobar1 >> - >> replace: description >> description: foobar2 >> - >> .. >> replace: description >> description: foobar1000 >> - > > Well, the clients are allowed to request a lot of strange things, some > of which border on a DoS: e.g. right now slapd can't disallow a modify > request like:
Nor should we disallow any such thing. "Be liberal in what you accept." > > dn: cn=3Dfoobar,dc=3Dexample,dc=3Dcom > changetype: modify > replace: description > description: foobar1 > description: foobar2 > ... > description: foobar1000 > > So there. If we can agree on a way to handle that, we might see whether > it could be repurposed. > > I should have a patch for the accesslog issue soon. > --=20 -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
