- firstly, it checks if the whole string "User1 User2 .." matches the CN of the
authenticated user and as this is a very rear situation it almost always
fails so each time we request a page, the WEB server sends a LDAP query as this
is never cached as a negative result
We have to check this case first, otherwise we could have false positives.
A better workaround for this is to insist that all the tokens in the require list be surrounded with "'s if there are spaces involved in the search pattern. Then we can drop the whole line search entirely.
- secondly, there is a loop that checks if every single entry in the list
matches the CN of the authenticated user
= it checks if this is a cached positive result
= and if not it sends a LDAP query
= this happens until it finds a match or the list finishes
If you have a need for more than one user on a require user line, then you really should be using LDAP groups. LDAP groups are far more managable anyway.
- firstly, to check all words into the list only against the cache and not send
LDAP queries
What you are asking for is negative caching, which I am not 100% comfortable with. If a login fails due to some error (eg wrong password), and the error is subsequently fixed in the directory, the next time the query is tried with the correct password the comparison will fail until the negative cache has timed out. This will not be immediately obvious to the user, and will probably be reported as a bug.
- at last, to check for the whole string "user1 user2 .." as this is very rear case and in almost all cases gives a negative result
It is not a rare case - if you match against cn (as iPlant directory server does by default) you will almost always use this case.
Regards,
Graham
--
-----------------------------------------
[EMAIL PROTECTED] "There's a moon
over Bourbon Street
tonight..."