[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/servers/slapd/overlays pcache.c

owner-openldap-devel@OpenLDAP.org wrote on 11/18/2004 03:01:47 AM:

> ando@OpenLDAP.org wrote:
> >Log Message:
> >the caching database may need to inherit ACLs and limits from the proxy
> >
> >
> FYI, I needed the above to ensure the cache honors ACLs at the proxy
> side.  I think there are few other issues with pcache; essentially:
> 1) the cache has no knowledge of the identity that was used to populate
> it; this can be an issue if clients authenticate as individual users
> instead of asserting an applicative identity and if per-user ACLs are
> enforced at the remote server.  I don't see an easy fix to this, except
> a per-user cache; I think this was already discussed at some point.

Rather than having the cached data stored on a per-user basis, it should be
possible to perform identity checks during query containment. Currently the
meta-data for each cached query (search request) stores the base, scope,
filter and projected attributes. If the bind DN of the user which requested
the cached query and the list of attribute names for returned attributes
(subset of projected attributes) are also stored as query meta-data, then
it is possible to enforce backend server ACLs by:
(i) Answering a query Q from a cached query Q' only if the
bindDN(Q)=bindDN(Q') AND Q is (semantically) contained in Q'.
(ii) Performing the search on the shared cache but not returning any
attributes which were not returned (by the backend server) for Q'.

The above assumes that proxy can authenticate the user and asserts the
client's identity when requesting data from backend server.

Of course, the ACLs at the backend could change in the time between Q' and
Q, but cached queries only exist for a configurable TTL.

> 2) the cache use is quite limited if the proxy also acts as authorizing
> backend for the users, since binds are not proxied.  The proxycache
> should be able to cache plaintext-like binds.
> 3) if the proxy doesn't act as authorizing backend for the users, all
> proxying occurs anonymously; this works around issue (1), but it still
> makes the cache useless if the remote server requires binds, or protects
> the proxied info with ACLs.  I have a solution for this by means of the
> "idassert" feature of back-ldap, which required the cache to honor ACLs
> (and thus the present commit). However, this solution suffers from issue
> (2) when the proxy is also the authorizing backend for the users, since
> it still requires at least a bind for all connections (in its current
> implementation, it actually requires 2 (!) binds for each bind
> operation, which is something I think I can easily fix and reduce to 1
> for each connection, plus 1 at the first connection).
> p.
>     SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: