Re: Seeking suggestions on changes to mod_authnz_ldap [and possibly mod_ldap] supporting X.509/LDAP AA [AuthType Certificate]
On Wed, Apr 21, 2010 at 12:49 PM, Thomas, Peter ptho...@hpti.com wrote: When the user's certificate subject is also the DN of the LDAP object, one can optimize search and compare operations by doing a LDAP_SCOPE_BASE search for the object based on the subject DN. I was able to substitute a search for the exact LDAP object in the authentication code. For authorization, I ran into a problem. The LDAP search cache entries for a URL are unique by filter expression. If ANY user was cached for a specific ldap-filter, the search cache has no way of knowing that I'm applying that search to a different search base. I could create a separate cache for every user encountered [i.e. by changing the base component of the LDAP URL before calling any uldap_cache_* function]. That seems painful. Thoughts? How important is this optimization to either Apache or the LDAP server? -- Eric Covener cove...@gmail.com
Re: Seeking suggestions on changes to mod_authnz_ldap [and possibly mod_ldap] supporting X.509/LDAP AA [AuthType Certificate]
On Wed, Apr 21, 2010 at 12:49 PM, Thomas, Peter ptho...@hpti.com wrote: When the user's certificate subject is also the DN of the LDAP object, one can optimize search and compare operations by doing a LDAP_SCOPE_BASE search for the object based on the subject DN. I was able to substitute a search for the exact LDAP object in the authentication code. I thought your goal was for the certificate itself to be the source of authn? Does the roundtrip to LDAP during authn add much? For authorization, I ran into a problem. The LDAP search cache entries for a URL are unique by filter expression. user was cached for a specific ldap-filter, the search cache has no way of knowing that I'm applying that search to a different search base. I could create a separate cache for every user encountered [i.e. by changing the base component of the LDAP URL before calling any uldap_cache_* function]. That seems painful. Thoughts? I guess this applies to ldap-user and ldap-filter but not the other ldap-* -- attributes already use the user DN as the base and groups use the group as a base -- although if your schema uses the CN as the group member value you'd have to extract it from the DN. It does seem like either the cache structure, or the ldap-user/ldap-filter logic would need an overhaul. 1-cache-per-user is probably the wrong direction though. -- Eric Covener cove...@gmail.com
RE: Seeking suggestions on changes to mod_authnz_ldap [and possibly mod_ldap] supporting X.509/LDAP AA [AuthType Certificate]
It's mandatory IFF: 1) The certificate subject is the LDAP DN, AND 2) There isn't an LDAP object attribute that can be uniquely mapped to a specific certificate subject DN component When it isn't mandatory--but the certificate subject is the LDAP object's DN--then an LDAP_SCOPE_BASE search improves performance for LDAP servers--and thus for relying Apache servers. I can't speak to importance--it's important to me, or I would have dropped it by now instead of pressing forward. I keep running in to people who have solved this or similar problems at the application (or application server layer) [in PHP, RAILS, J2EE, Joomla, c.] It's always seemed like this cries out for handling right where we do SSL termination initial AAA--in httpd. This is never going to be something that the whole world wants; this capability applies only to situations where X.509 certificates are distributed to users AND LDAP is used to make AA decisions based upon users' certificates presented to web servers. --Pete -- -Original Message- From: Eric Covener [mailto:cove...@gmail.com] Sent: Wednesday, April 21, 2010 1:39 PM To: modules-...@httpd.apache.org Subject: Re: Seeking suggestions on changes to mod_authnz_ldap [and possibly mod_ldap] supporting X.509/LDAP AA [AuthType Certificate] On Wed, Apr 21, 2010 at 12:49 PM, Thomas, Peter ptho...@hpti.com wrote: When the user's certificate subject is also the DN of the LDAP object, one can optimize search and compare operations by doing a LDAP_SCOPE_BASE search for the object based on the subject DN. I was able to substitute a search for the exact LDAP object in the authentication code. For authorization, I ran into a problem. The LDAP search cache entries for a URL are unique by filter expression. If ANY user was cached for a specific ldap-filter, the search cache has no way of knowing that I'm applying that search to a different search base. I could create a separate cache for every user encountered [i.e. by changing the base component of the LDAP URL before calling any uldap_cache_* function]. That seems painful. Thoughts? How important is this optimization to either Apache or the LDAP server? -- Eric Covener cove...@gmail.com
