httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas, Peter" <>
Subject RE: Seeking suggestions on changes to mod_authnz_ldap [and possibly mod_ldap] supporting X.509/LDAP A&A [AuthType Certificate]
Date Wed, 21 Apr 2010 18:23:18 GMT
It's mandatory IFF:
  1) The certificate subject is the LDAP DN, AND
  2) There isn't an LDAP object attribute that can be uniquely mapped to a specific certificate
subject DN component

When it isn't mandatory--but the certificate subject is the LDAP object's DN--then an LDAP_SCOPE_BASE
search improves performance for LDAP servers--and thus for relying Apache servers.

I can't speak to importance--it's important to me, or I would have dropped it by now instead
of pressing forward.  I keep running in to people who have solved this or similar problems
at the application (or application server layer) [in PHP, RAILS, J2EE, Joomla, &c.]  It's
always seemed like this cries out for handling right where we do SSL termination & initial
AAA--in httpd.

This is never going to be something that the whole world wants; this capability applies only
to situations where X.509 certificates are distributed to users AND LDAP is used to make A&A
decisions based upon users' certificates presented to web servers.


> -----Original Message-----
> From: Eric Covener [] 
> Sent: Wednesday, April 21, 2010 1:39 PM
> To:
> Subject: Re: Seeking suggestions on changes to 
> mod_authnz_ldap [and possibly mod_ldap] supporting X.509/LDAP 
> A&A [AuthType Certificate]
> On Wed, Apr 21, 2010 at 12:49 PM, Thomas, Peter 
> <> wrote:
> > When the user's certificate subject is also the DN of the 
> LDAP object, 
> > one can optimize search and compare operations by doing a 
> > LDAP_SCOPE_BASE search for the object based on the subject 
> DN.  I was 
> > able to substitute a search for the exact LDAP object in the 
> > authentication code.  For authorization, I ran into a problem.  The 
> > LDAP search cache entries for a URL are unique by filter 
> expression.  
> > If ANY user was cached for a specific ldap-filter, the search cache 
> > has no way of knowing that I'm applying that search to a different 
> > search base.  I could create a separate cache for every user 
> > encountered [i.e. by changing the base component of the LDAP URL 
> > before calling any
> > uldap_cache_* function].  That seems painful.  Thoughts?
> >
> How important is this optimization to either Apache or the 
> LDAP server?
> --
> Eric Covener

View raw message