[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6664) Server control forwarding in back_meta and back_ldap
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6664) Server control forwarding in back_meta and back_ldap
- From: hyc@symas.com
- Date: Thu, 30 Dec 2010 16:59:09 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
masarati@aero.polimi.it wrote:
>> Note that the SSSVLV overlay can handle paged results locally too, thus
>> negating any need for back-ldap/back-meta to forward it to a remote
>> server.
>> Obviously for greatest generality, there needs to be a way to configure
>> which
>> set of controls to pass through, and which to process locally. (Much like
>> back-ldap's option to process the WhoAmI exop...)
>
> Right. With proxies the problem is twofold:
>
> a) clients request pr because they think they're talking to AD
>
> b) the proxy may need to use pr even if the client does not request it,
> because it knows it's talking to AD
>
> In (a), the issue could be handled the way sssvlv does, relieving the
> proxy from having to deal with server-side pr; this would be extremely
> beneficial, for example, for back-meta
>
> In (b), the proxy could be configured to use pr the way I mentioned above;
> in principle, the proxy could be so clever to avoid using pr, and simply
> accept to handle unrequested pr responses, but only if instructed to do
> so.
>
> Filtering what controls are passed thru should be easy, since both proxy
> backends always call ldap_back_controls_add()/meta_back_controls_add() to
> muck with request controls (usually to add proxied authorization and so);
> this function could easily strip or add pr if instructed to do so.
Should also revisit ITS#4591 while thinking about this.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/