[Date Prev][Date Next] [Chronological] [Thread] [Top]

back-ldap connection caching, proxy controls?

Something I've been thinking of - currently back-ldap creates connections on
a one-for-one basis with its incoming connections, and unbinds when the
incoming unbinds.

One potential use for back-ldap is on a machine running pam_ldap/apache
auth_ldap/whatever else, to collect requests via a Unix domain socket and
forward them over TLS to the main LDAP server. This approach would provide
the benefit of TLS security for the authentication requests without the
repeated overhead of TLS connection establishment.

To get the benefit of such a setup, back-ldap needs to be configurable with
an option to keep an outbound connection instead of unbinding it when the
inbound connection unbinds. As I see it, this is perfectly safe as long as
the only operations being performed are binds, you can just keep binding
over and over again on the same connection. The old pam_ldap did this, also
the Apache auth_ldap.

If you throw searches into the mix to support pam_ldap and nss_ldap it gets
a little more questionable. Since pam_ldap (from PADL) does more than just
authentication, the benefit gets even hazier.

What would help make this proxying really useful would be a Control that can
be sent along with an operation, specifying an authzID for that operation.
Also a Control for the Bind request, allowing it to accumulate IDs instead
of resetting the current connection. The idea being, you can only specify an
authzID that you have already bound as, on subsequent tagged operations.

Some default needs to be established for subsequent operations that arrive
without any authzID tag. One way would be simply to require that the first
Bind on a connection be a "normal" one, and this is the ID used by default
on untagged operations. Another approach would be to allow tagging a
particular Bind request as the default ID... I suppose I should go re-read
the X.500 DSP spec before going too far down this path.

Any thoughts?

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support