[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6664) Server control forwarding in back_meta and back_ldap



> Note that the SSSVLV overlay can handle paged results locally too, thus
> negating any need for back-ldap/back-meta to forward it to a remote
> server.
> Obviously for greatest generality, there needs to be a way to configure
> which
> set of controls to pass through, and which to process locally. (Much like
> back-ldap's option to process the WhoAmI exop...)

Right.  With proxies the problem is twofold:

a) clients request pr because they think they're talking to AD

b) the proxy may need to use pr even if the client does not request it,
because it knows it's talking to AD

In (a), the issue could be handled the way sssvlv does, relieving the
proxy from having to deal with server-side pr; this would be extremely
beneficial, for example, for back-meta

In (b), the proxy could be configured to use pr the way I mentioned above;
in principle, the proxy could be so clever to avoid using pr, and simply
accept to handle unrequested pr responses, but only if instructed to do
so.

Filtering what controls are passed thru should be easy, since both proxy
backends always call ldap_back_controls_add()/meta_back_controls_add() to
muck with request controls (usually to add proxied authorization and so);
this function could easily strip or add pr if instructed to do so.

p.