[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Avoid binding with external directory for cached results

To: "Pierangelo Masarati" <ando@sys-net.it>
Subject: Re: Avoid binding with external directory for cached results
From: "Daniel Montero Motilla" <damonmo@gmail.com>
Date: Tue, 17 Oct 2006 00:06:28 +0000
Cc: openldap-software@openldap.org
Content-disposition: inline
In-reply-to: <4533EC35.8020503@sys-net.it>
References: <3786d8020610161117i188af84fve6d5b8a4f73d5a19@mail.gmail.com> <4533EC35.8020503@sys-net.it>

2006/10/16, Pierangelo Masarati <ando@sys-net.it>:

The only possible solution I see in your case is modifying slapo-pcache
so that it also caches binds (with all the security concerns this may
imply); in that case, an attempt to lookup the bindDN locally should
take place before contacting the remote server and, in case of success,
identity assertion should be used if the subsequent search is not
cached; if the bindDN is not cached, after a successful simple bind, the
overlay should save a "glue" entry with the bindDN and the password
(possibly encrypted).


My case is even more simple, because the bindDN the client will use is
always the same, so based on your suggestion I'm thinking about doing
something like this:

- Implement 'bind' operation on pcache overlay so it always returns
success to frontend.
- Substitute 'meta' backend with multiple instances of 'slapd' backend
- Configure 'slapd' backend so it always does identity assertion using
mode 'self'

Do you think I'm on the right way?

Regards,

Dani.

References:
- Avoid binding with external directory for cached results
  - From: "Daniel Montero Motilla" <damonmo@gmail.com>
- Re: Avoid binding with external directory for cached results
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: Avoid binding with external directory for cached results
Next by Date: Proper Deinit? ldap_unbind_ext: Assertion `( (ld)->ld_options.ldo_valid == 0x2 )' failed
Index(es):
- Chronological
- Thread