It's mandatory IFF: 1) The certificate subject is the LDAP DN, AND 2) There isn't an LDAP object attribute that can be uniquely mapped to a specific certificate subject DN component
When it isn't mandatory--but the certificate subject is the LDAP object's DN--then an LDAP_SCOPE_BASE search improves performance for LDAP servers--and thus for relying Apache servers. I can't speak to importance--it's important to me, or I would have dropped it by now instead of pressing forward. I keep running in to people who have solved this or similar problems at the application (or application server layer) [in PHP, RAILS, J2EE, Joomla, &c.] It's always seemed like this cries out for handling right where we do SSL termination & initial AAA--in httpd. This is never going to be something that the whole world wants; this capability applies only to situations where X.509 certificates are distributed to users AND LDAP is used to make A&A decisions based upon users' certificates presented to web servers. --Pete -- > -----Original Message----- > From: Eric Covener [mailto:[email protected]] > Sent: Wednesday, April 21, 2010 1:39 PM > To: [email protected] > Subject: Re: Seeking suggestions on changes to > mod_authnz_ldap [and possibly mod_ldap] supporting X.509/LDAP > A&A [AuthType Certificate] > > On Wed, Apr 21, 2010 at 12:49 PM, Thomas, Peter > <[email protected]> wrote: > > When the user's certificate subject is also the DN of the > LDAP object, > > one can optimize search and compare operations by doing a > > LDAP_SCOPE_BASE search for the object based on the subject > DN. I was > > able to substitute a search for the exact LDAP object in the > > authentication code. For authorization, I ran into a problem. The > > LDAP search cache entries for a URL are unique by filter > expression. > > If ANY user was cached for a specific ldap-filter, the search cache > > has no way of knowing that I'm applying that search to a different > > search base. I could create a separate cache for every user > > encountered [i.e. by changing the base component of the LDAP URL > > before calling any > > uldap_cache_* function]. That seems painful. Thoughts? > > > > How important is this optimization to either Apache or the > LDAP server? > > -- > Eric Covener > [email protected] >
