[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ref : (ITS#4057) [feature request] allow to defer bind to targets in back-meta when binding as rootdn

To: openldap-its@OpenLDAP.org
Subject: Re: Ref : (ITS#4057) [feature request] allow to defer bind to targets in back-meta when binding as rootdn
From: ando@sys-net.it
Date: Mon, 3 Oct 2005 08:09:38 GMT

> Hi;
> This feauture is very helpful.
> It avoids polluting your target directories on LAN and WAN with undesired
> and irrelevant BIND requests.
> I use back meta since 2003 and I have to patch each version to avoid this
> BIND propagation (which is versy costy in some cases).
>
> I can submit my patch for 2.3.7 if necessary (I know it is not aimed at
> general use).
>

It's already in HEAD/re23, thanks.  The point is that unnecessary binds
only occur when binding as the rootdn, which should not be considered the
regular way of using back-meta.  More than required anonymous binds, on
the contrary, simply occur because connections were not pooled.  This is
also fixed in HEAD/re23.

Note that by giving up immediate authc propagation when authc'd as rootdn
on the one hand avoids unnecessary binds when only a subset of the targets
will be used.  On the other hand, a bind as rootdn will be successful as
soon as the rootdn credentials are fine, but it may fail later when the
actual bind to the remote server occurs.  So we're trading "security" for
efficiency.  That's why it's optional.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Prev by Date: Ref : (ITS#4057) [feature request] allow to defer bind to targets in back-meta when binding as rootdn
Next by Date: (ITS#4059) The "nretries" parameter in back-meta configuration
Index(es):
- Chronological
- Thread