[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "static" dbuser and dbpassword in back-sql ?

Hi Jochen,

While I didn't write the code in OpenLDAP, I've done it for other software. I would imagine that the reason for using a static user is so that incoming LDAP connections can share a pool of database connections. Database connections tend to be considerably heavier to create than LDAP connections and reconnecting each time a new user comes in using their own credentials would tend to be performance-prohibitive.

As far as virtual directories, they tend to default to the same behavior for the same reasons when it comes to databases, though in many cases you can map certain users to more privileged connections than others, though in this case you're depending as much on the VD to manage privileges as if you just kept a single pool of connections and depended on the ACL system inherent in the VD or OpenLDAP software.


On Sep 22, 2003, at 11:55 AM, Jochen Laser wrote:

 As I understand from  man slapd-sql, the RDBMs username and password
 must be explicitely be specified in slapd.conf or odbc.ini.
 Therefore these credentials  are static. i.e, regardless of who
 connects to the  LDAP Server, it's always the same user/password
 combination  that is passed to the RDBMs via ODBC.

First question: did I get this right, or did I miss something important?

 For use in some kind of "virtual directory" it seems to be
 a nice feature, if username an password to be passed to the
 RDBMs could be derived from Bind-DN and password that were
 originally passed to the LDAP Server.

 Second and third question  (only valid if I was right with my
 guess in qustion #1):

 Are there good reasons why these credentials should be static?
 How do other virual/metadirectory products handle this?