Re: commit: ldap/servers/slapd/overlays pcache.c

[Pierangelo Masarati <ando@sys-net.it>]

ando@OpenLDAP.org wrote:

> Log Message:
> the caching database may need to inherit ACLs and limits from the proxy
>  

FYI, I needed the above to ensure the cache honors ACLs at the proxy 
side.  I think there are few other issues with pcache; essentially:
1) the cache has no knowledge of the identity that was used to populate 
it; this can be an issue if clients authenticate as individual users 
instead of asserting an applicative identity and if per-user ACLs are 
enforced at the remote server.  I don't see an easy fix to this, except 
a per-user cache; I think this was already discussed at some point.
2) the cache use is quite limited if the proxy also acts as authorizing 
backend for the users, since binds are not proxied.  The proxycache 
should be able to cache plaintext-like binds.
3) if the proxy doesn't act as authorizing backend for the users, all 
proxying occurs anonymously; this works around issue (1), but it still 
makes the cache useless if the remote server requires binds, or protects 
the proxied info with ACLs.  I have a solution for this by means of the 
"idassert" feature of back-ldap, which required the cache to honor ACLs 
(and thus the present commit). However, this solution suffers from issue 
(2) when the proxy is also the authorizing backend for the users, since 
it still requires at least a bind for all connections (in its current 
implementation, it actually requires 2 (!) binds for each bind 
operation, which is something I think I can easily fix and reduce to 1 
for each connection, plus 1 at the first connection).

p.



   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497