On Wed, Apr 21, 2010 at 12:49 PM, Thomas, Peter <ptho...@hpti.com> wrote: > When the user's certificate subject is also the DN of the LDAP object, > one can optimize search and compare operations by doing a > LDAP_SCOPE_BASE search for the object based on the subject DN. I was > able to substitute a search for the exact LDAP object in the > authentication code.
I thought your goal was for the certificate itself to be the source of authn? Does the roundtrip to LDAP during authn add much? > For authorization, I ran into a problem. The LDAP > search cache entries for a URL are unique by filter expression. > user was cached for a specific ldap-filter, the search cache has no way > of knowing that I'm applying that search to a different search base. I > could create a separate cache for every user encountered [i.e. by > changing the base component of the LDAP URL before calling any > uldap_cache_* function]. That seems painful. Thoughts? I guess this applies to ldap-user and ldap-filter but not the other ldap-* -- attributes already use the user DN as the base and groups use the group as a base -- although if your schema uses the CN as the group member value you'd have to extract it from the DN. It does seem like either the cache structure, or the ldap-user/ldap-filter logic would need an overhaul. 1-cache-per-user is probably the wrong direction though. -- Eric Covener cove...@gmail.com
