httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <>
Subject Re: Seeking suggestions on changes to mod_authnz_ldap [and possibly mod_ldap] supporting X.509/LDAP A&A [AuthType Certificate]
Date Wed, 21 Apr 2010 17:38:44 GMT
On Wed, Apr 21, 2010 at 12:49 PM, Thomas, Peter <> wrote:
> When the user's certificate subject is also the DN of the LDAP object,
> one can optimize search and compare operations by doing a
> LDAP_SCOPE_BASE search for the object based on the subject DN.  I was
> able to substitute a search for the exact LDAP object in the
> authentication code.  For authorization, I ran into a problem.  The LDAP
> search cache entries for a URL are unique by filter expression.  If ANY
> user was cached for a specific ldap-filter, the search cache has no way
> of knowing that I'm applying that search to a different search base.  I
> could create a separate cache for every user encountered [i.e. by
> changing the base component of the LDAP URL before calling any
> uldap_cache_* function].  That seems painful.  Thoughts?

How important is this optimization to either Apache or the LDAP server?

Eric Covener

View raw message