[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6664) Server control forwarding in back_meta and back_ldap

masarati@aero.polimi.it wrote:
>> Note that the SSSVLV overlay can handle paged results locally too, thus
>> negating any need for back-ldap/back-meta to forward it to a remote
>> server.
>> Obviously for greatest generality, there needs to be a way to configure
>> which
>> set of controls to pass through, and which to process locally. (Much like
>> back-ldap's option to process the WhoAmI exop...)
> Right.  With proxies the problem is twofold:
> a) clients request pr because they think they're talking to AD
> b) the proxy may need to use pr even if the client does not request it,
> because it knows it's talking to AD
> In (a), the issue could be handled the way sssvlv does, relieving the
> proxy from having to deal with server-side pr; this would be extremely
> beneficial, for example, for back-meta
> In (b), the proxy could be configured to use pr the way I mentioned above;
> in principle, the proxy could be so clever to avoid using pr, and simply
> accept to handle unrequested pr responses, but only if instructed to do
> so.
> Filtering what controls are passed thru should be easy, since both proxy
> backends always call ldap_back_controls_add()/meta_back_controls_add() to
> muck with request controls (usually to add proxied authorization and so);
> this function could easily strip or add pr if instructed to do so.

Should also revisit ITS#4591 while thinking about this.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/