Re: Contribution: Active Directory Password Cache (ITS#5042)

[ando@sys-net.it]

ando@sys-net.it wrote:

> At this point, it sounds like that your contribution could be 
> __entirely__ reworked into simply adding caching capabilities into the 
> current {SASL} password scheme (implemented in servers/slapd/sasl.c), 
> preserving the logics you're using right now.  You'd probably need to 
> define your own "cachedUserPassword" attribute to temporarily store the 
> cached credentials, unless something like this:
> 
> userPassword: {SASL}user
> userPassword: {<hash>}<hashed password>
> 
> allows the {SASL} module to fetch the next value of the userPassowrd and 
> treat it as the cached value.  The rest would be adding some TTL mech, 
> configurable via back-config, and that should be it.
> 
> Yet another option would be to allow per-entry caching, by defining a 
> new {CACHED-SASL} scheme.  This way, one could fine-grain decide whose 
> credentials can be cached and whose can't, letting the two cases share 
> most of the code.  I'd allow {SASL} to be cached as well, in case the 
> administrator just wants to allow all {SASL} auths to be cached.

For this purpose, it might be necessary to change the API of password 
scheme handling, so that it gets passed a pointer to the entire entry, 
read-only locked, so that attributes like the "cachedPwd" and the 
"cachedPwdTimestamp" can be fetched and used.

With respect to updating them, we might need to add some means to 
schedule internal modifications to be performed as soon as the entry 
lock is released.  Thoughts?

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------