Re: "static" dbuser and dbpassword in back-sql ?

[Clayton Donley <clayton.donley@octetstring.com>]

Hi Jochen,

While I didn't write the code in OpenLDAP, I've done it for other 
software. I would imagine that the reason for using a static user is so 
that incoming LDAP connections can share a pool of database 
connections. Database connections tend to be considerably heavier to 
create than LDAP connections and reconnecting each time a new user 
comes in using their own credentials would tend to be 
performance-prohibitive.

As far as virtual directories, they tend to default to the same 
behavior for the same reasons when it comes to databases, though in 
many cases you can map certain users to more privileged connections 
than others, though in this case you're depending as much on the VD to 
manage privileges as if you just kept a single pool of connections and 
depended on the ACL system inherent in the VD or OpenLDAP software.

Clayton

On Sep 22, 2003, at 11:55 AM, Jochen Laser wrote:

>  As I understand from  man slapd-sql, the RDBMs username and password
>  must be explicitely be specified in slapd.conf or odbc.ini.
>  Therefore these credentials  are static. i.e, regardless of who
>  connects to the  LDAP Server, it's always the same user/password
>  combination  that is passed to the RDBMs via ODBC.
>
>  First question: did I get this right, or did I miss something 
> important?
>
>  For use in some kind of "virtual directory" it seems to be
>  a nice feature, if username an password to be passed to the
>  RDBMs could be derived from Bind-DN and password that were
>  originally passed to the LDAP Server.
>
>  Second and third question  (only valid if I was right with my
>  guess in qustion #1):
>
>  Are there good reasons why these credentials should be static?
>  How do other virual/metadirectory products handle this?
>
>
> Regards:
>
>  Jochen