[email protected] wrote: >> Note that the SSSVLV overlay can handle paged results locally too, thus >> negating any need for back-ldap/back-meta to forward it to a remote >> server. >> Obviously for greatest generality, there needs to be a way to configure >> which >> set of controls to pass through, and which to process locally. (Much like >> back-ldap's option to process the WhoAmI exop...) > > Right. With proxies the problem is twofold: > > a) clients request pr because they think they're talking to AD > > b) the proxy may need to use pr even if the client does not request it, > because it knows it's talking to AD > > In (a), the issue could be handled the way sssvlv does, relieving the > proxy from having to deal with server-side pr; this would be extremely > beneficial, for example, for back-meta > > In (b), the proxy could be configured to use pr the way I mentioned above; > in principle, the proxy could be so clever to avoid using pr, and simply > accept to handle unrequested pr responses, but only if instructed to do > so. > > Filtering what controls are passed thru should be easy, since both proxy > backends always call ldap_back_controls_add()/meta_back_controls_add() to > muck with request controls (usually to add proxied authorization and so); > this function could easily strip or add pr if instructed to do so.
Should also revisit ITS#4591 while thinking about this. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
