httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas, Peter" <>
Subject Seeking suggestions on changes to mod_authnz_ldap [and possibly mod_ldap] supporting X.509/LDAP A&A [AuthType Certificate]
Date Wed, 21 Apr 2010 16:49:07 GMT
When the user's certificate subject is also the DN of the LDAP object,
one can optimize search and compare operations by doing a
LDAP_SCOPE_BASE search for the object based on the subject DN.  I was
able to substitute a search for the exact LDAP object in the
authentication code.  For authorization, I ran into a problem.  The LDAP
search cache entries for a URL are unique by filter expression.  If ANY
user was cached for a specific ldap-filter, the search cache has no way
of knowing that I'm applying that search to a different search base.  I
could create a separate cache for every user encountered [i.e. by
changing the base component of the LDAP URL before calling any
uldap_cache_* function].  That seems painful.  Thoughts?

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message