httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andre Schild" <>
Subject Antw: Re: [patch]2 : mod_auth_ldap doesn't effectively use the cache with"require user User1 User2 .." dir
Date Mon, 17 Mar 2003 07:24:59 GMT
> 16.03.2003 21:45:12 >>>
>>Graham Leggett <> wrote:

>Then your idea to use "'s and have only one check is probably a
>or we can have an extra option to specify how this "require user User1
User2 .."
> to be interpreted - as a single value or as a list of values.
I'm against yet another option, because we can't guarantee
correct behaviour if the quotes are turned off.

Better when we find a " in the line, use those as quotes.
If no " are found, then use the blanks as separarators. (And this 
automatically disallows usernames with blanks in them.)

>BTW, how the other apache authentication modules treat this
Good question....

>If first all values are checked against the cache and then if we 
>don't find a match we go to the LDAP - this will make the 
>cache used properly - no ldap requests sent if we have cached 
>the positive result, the negative results are not cached anyway.
> I don't see negative cacheing.
The only advantage a negative caching would provide is (slightly) a
handling of DOS attacks. Of course a DOS attack is still possible
when requestings user1, user2.... user99999

Of course a negative cache should have a "short" cache lifetime.
3-5 minutes or so.


aarboard ag
internet - networks - screen&print design - multimedia
Egliweg 10 - Postfach 214 - CH-2560 Nidau (Switzerland)
Phone +41 32 332 9714 - Fax +41 32 332 9715 -

View raw message