[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/servers/slapd/overlays pcache.c

> I think that the access control aspect of the proxy cache in relation to
> back-ldap needs to be elaborated further. Suppose a situation where the
> proxy cache stores search entries from the searches having the same search
> spec but requested by distinct identities. From the next search, the
> request
> will be satisfied by the internal database if they are answerable. Unless
> we
> have the same access control in the proxy cache as in the remote server, a
> search  can return entries originally prohibited by the target server. I
> also suspect that proxyAuthz is required for the proxy cache when it needs
> to deal with clients having different access control.

What you're depicting is a scenario where the cached search is done by the
proxy with some special identity that ensures a broad access, and
subsequent operations on the cached data are performed locally based on
the client's identity by means of the local access control rules.  This is
a very specific scenario that implies a trust relation ship between the
remote server and the proxy, so that the remote server is willing to give
broad access to the proxy itself and delegate access control to the proxy.
 In this case, the cahced request is performed with an administrative
identity.  I see other possibilities:

a) remote requests are performed by the proxy under an administrative
identity, cached once for all and then satisfied locally based on the
client's identity by locally applying acces rules.
b) remote requests are performed with the client's identity (either by
binding as the client or by asserting its identity), and cached on a
per-client basis; access control is directly applied by the remote server,
and for a client only data it can access is cached.

On the one hand, the latter approach may lead to a proliferation of the
cached data, but it does not require the remote server to trust the proxy
and delegate access control.  From my understanding, this latter was the
approach of proxycache, at least before it made it into an overlay.  Note
that I'm not favoring any of the approaches (there might even be more,
with overlappings); they're both reasonable, and may apply to specific


Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497