[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4316) proxycache attrsets



>> Don't forget access control issues; I think by playing with attrsets
>> they
>> can be limited, e.g. by only caching public searches or so.  In any
>> case,
>> I'd leave the possibility to define attrsets.
>>
>
> I really don't see that allowing subsets of attrsets to work as desired
> has any impact on the overall access control policies.

I mean: remember that pcache suffers from the access control issue, i.e.
caching depends on the identity that first issued a certain operation, so
lookups of cached data may either return a subset of the requested data,
which is bad, or, in case the proxy's ACLs do not comply with those of the
remote server, even in a superset, which is even worse.  So searching all
attrs by default sounds like risking further exposure of data in those
cases.

p.



Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------