When the user's certificate subject is also the DN of the LDAP object,
one can optimize search and compare operations by doing a
LDAP_SCOPE_BASE search for the object based on the subject DN. I was
able to substitute a search for the exact LDAP object in the
authentication code. For authorization, I ran into a problem. The LDAP
search cache entries for a URL are unique by filter expression. If ANY
user was cached for a specific ldap-filter, the search cache has no way
of knowing that I'm applying that search to a different search base. I
could create a separate cache for every user encountered [i.e. by
changing the base component of the LDAP URL before calling any
uldap_cache_* function]. That seems painful. Thoughts?