[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/servers/slapd/overlays pcache.c



ando@OpenLDAP.org wrote:

Log Message:
the caching database may need to inherit ACLs and limits from the proxy



FYI, I needed the above to ensure the cache honors ACLs at the proxy side. I think there are few other issues with pcache; essentially:
1) the cache has no knowledge of the identity that was used to populate it; this can be an issue if clients authenticate as individual users instead of asserting an applicative identity and if per-user ACLs are enforced at the remote server. I don't see an easy fix to this, except a per-user cache; I think this was already discussed at some point.
2) the cache use is quite limited if the proxy also acts as authorizing backend for the users, since binds are not proxied. The proxycache should be able to cache plaintext-like binds.
3) if the proxy doesn't act as authorizing backend for the users, all proxying occurs anonymously; this works around issue (1), but it still makes the cache useless if the remote server requires binds, or protects the proxied info with ACLs. I have a solution for this by means of the "idassert" feature of back-ldap, which required the cache to honor ACLs (and thus the present commit). However, this solution suffers from issue (2) when the proxy is also the authorizing backend for the users, since it still requires at least a bind for all connections (in its current implementation, it actually requires 2 (!) binds for each bind operation, which is something I think I can easily fix and reduce to 1 for each connection, plus 1 at the first connection).


p.



   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497