httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: Seeking suggestions on changes to mod_authnz_ldap [and possibly mod_ldap] supporting X.509/LDAP A&A [AuthType Certificate]
Date Wed, 21 Apr 2010 19:04:21 GMT
On Wed, Apr 21, 2010 at 12:49 PM, Thomas, Peter <pthomas@hpti.com> wrote:
> When the user's certificate subject is also the DN of the LDAP object,
> one can optimize search and compare operations by doing a
> LDAP_SCOPE_BASE search for the object based on the subject DN.  I was
> able to substitute a search for the exact LDAP object in the
> authentication code.

I thought your goal was for the certificate itself to be the source of authn?

Does the roundtrip to LDAP  during authn add much?

> For authorization, I ran into a problem.  The LDAP
> search cache entries for a URL are unique by filter expression.
> user was cached for a specific ldap-filter, the search cache has no way
> of knowing that I'm applying that search to a different search base.  I
> could create a separate cache for every user encountered [i.e. by
> changing the base component of the LDAP URL before calling any
> uldap_cache_* function].  That seems painful.  Thoughts?

I guess this applies to ldap-user and ldap-filter but not the other
ldap-* -- attributes already use the user DN as the base and groups
use the group as a base -- although if your schema uses the CN as the
group member value you'd have to extract it from the DN.

It does seem like either the cache structure, or the
ldap-user/ldap-filter logic would need an overhaul. 1-cache-per-user
is probably the wrong direction though.


-- 
Eric Covener
covener@gmail.com

Mime
View raw message