httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: [patch]2 : mod_auth_ldap doesn't effectively use the cache with "require user User1 User2 .." directives]
Date Sun, 16 Mar 2003 17:11:24 GMT
Yavor Trapkov wrote:

> - firstly, it checks if the whole string "User1 User2 .." matches the CN 
> of the
>   authenticated user and as this is a very rear situation it almost always
>   fails so each time we request a page, the WEB server sends a LDAP 
> query as this
>   is never cached as a negative result

We have to check this case first, otherwise we could have false positives.

A better workaround for this is to insist that all the tokens in the 
require list be surrounded with "'s if there are spaces involved in the 
search pattern. Then we can drop the whole line search entirely.

> - secondly, there is a loop that checks if every single entry in the list
>   matches the CN of the authenticated user
>     = it checks if this is a cached positive result
>     = and if not it sends a LDAP query
>     = this happens until it finds a match or the list finishes

If you have a need for more than one user on a require user line, then 
you really should be using LDAP groups. LDAP groups are far more 
managable anyway.

>  - firstly, to check all words into the list only against the cache and 
> not send
>    LDAP queries

What you are asking for is negative caching, which I am not 100% 
comfortable with. If a login fails due to some error (eg wrong 
password), and the error is subsequently fixed in the directory, the 
next time the query is tried with the correct password the comparison 
will fail until the negative cache has timed out. This will not be 
immediately obvious to the user, and will probably be reported as a bug.

>  - at last, to check for the whole string "user1 user2 .." as this is very
>    rear case and in almost all cases gives a negative result

It is not a rare case - if you match against cn (as iPlant directory 
server does by default) you will almost always use this case.

Regards,
Graham
-- 
-----------------------------------------
minfrin@sharp.fm		"There's a moon
					over Bourbon Street
						tonight..."


Mime
View raw message