RE: Proxy cache extension for OpenLDAP

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 03:08 AM 2002-09-06, Howard Chu wrote:
>> From: Apurva Kumar [mailto:kapurva@in.ibm.com]
>> LDAP proxy cache docs in HTML.
>
>Thanks. It's a fascinating idea. The effect of ACLs on cached results isn't
>considered though; I guess you assume that all clients of the proxy will have
>equal privileges on the remote server. (That's a fair enough assumption for
>many scenarios, it just needs to be stated.)

You should be able to apply per-user ACLs on information
held in the cache, but use another identity in obtaining
information for the cache.

That is, caching aside, back-ldap should be able to obtain
information using a common identity but return it only if
it matches per-user ACLs.

>You can implement your cache_backend APIs without directly modifying
>back-ldbm.

Apurva and discussed the need to support back-bdb as the cache
store.  Your suggestion seems like a reasonable approach for
not only providing back-bdb support, but allowing any backend
to serve as the cache store.

>Also, there should be some kind of cache aging parameter to eliminate stale
>data from the cache.

Likely some sort of default TTL augmented by entry TTLs would
cover this well enough.

>It's a very good effort. I think the query containment and query template
>approach makes sense. Hopefully some more folks will examine this patch and
>chime in.

Yes!