Re: Avoid binding with external directory for cached results

[Pierangelo Masarati <ando@sys-net.it>]

Daniel Montero Motilla wrote:
> Hi, I'm using slapd 2.3.27 as a metadirectory with two external active
> directory servers and pcache overlay enabled. The pcache overlay is
> working ok, but when I do a non-anonymous search and slapd gets the
> results from local cache, it establishes a new connection to the
> external directory, tries to bind and then closes the connection.
> Altough I understand that this is the logical behaviour, I'm looking
> for some way to avoid this binding against the external directory if
> the results of the search are going to be obtained from slapd cache,
> in order to increase performance (in my scenario validating
> credentials for cached results is not a priority).
It is not possible.
> If that is not possible, i'd like to know if there is a way to make
> slapd stablish a permanent connection to the external directory with
> the purpose of doing those credentials validations (instead
> establishing a new tcp connection on every search).
No.  Binds are always performed on a freshly created connection, there's 
little to do with it.

The only possible solution I see in your case is modifying slapo-pcache 
so that it also caches binds (with all the security concerns this may 
imply); in that case, an attempt to lookup the bindDN locally should 
take place before contacting the remote server and, in case of success, 
identity assertion should be used if the subsequent search is not 
cached; if the bindDN is not cached, after a successful simple bind, the 
overlay should save a "glue" entry with the bindDN and the password 
(possibly encrypted).

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------