directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Howard Chu <>
Subject Re: Alias cycle detection
Date Wed, 15 Jun 2011 09:21:44 GMT
Alex Karasulu wrote:
> On Mon, Jun 13, 2011 at 5:39 PM, Emmanuel Lecharny<>  wrote:
>> Alias cycle detection
>> ---------------------
>> There is an unsolved question about how we should detect Alias cycles. Right
>> now, we check for cycles *before* they are created. The alternative would be
>> to stop any search that could lead to an infinite loop.
> That would slow down reads. The best is to stop this from happening
> with write operations: meaning doing the computation to detect and
> prevent the cycle then and there instead of exhausting the search
> process to deal with such wicked constructs.

You may be being over-paranoid here. First a client has to explicitly request 
alias dereferencing and most of them don't by default, so in general reads 
will be unaffected. Also the DB operations required to detect a cycle at write 
time are the kinds of things you would already be performing efficiently in a 
search. Doing them at search time is far better from a concurrency perspective 
because you're only doing read operations inside a reader transaction, and 
nothing touched inside the DB needs to stay locked for long. If you're doing 
these searches during a write operation then you're going to accumulate huge 
numbers of locks that must be held until the write transaction commits.

>> A third - but unrealistic - solution would be to don't detect cycle, and
>> process the search until we reach the time or size limit (in other words,
>> it's up to the admin to avoid the creation of such cycle; Highly
>> dangerous…).
> Agreed - really dangerous.
>> The problem with the first approach is that we can't anymore pass the VSLDAP
>> tests. It's a major burden. Also most of the current servers support this
>> feature.
> Is there a VSLDAP test that allows for alias cycle creation? If so we
> should be able to bring this up with the Open Group. This is
> definitely a gray area in the protocol but it makes little sense to
> create alias cycles. Alias chaining on the other hand is a different
> story.

Since alias dereferencing is not implicit, it makes no sense to prohibit 
creation of alias cycles. I.e., they're otherwise just plain LDAP entries and 
if they still obey the schema then you don't have much justification for 
rejecting them.

> So let me ask once again since I know little about the VSLDAP tests:
> do they allow alias chaining or alias loops? The two would be
> different.
> Alex

   -- Howard Chu
   CTO, Symas Corp. 
   Director, Highland Sun
   Chief Architect, OpenLDAP

View raw message