On Fri, Jan 4, 2019 at 12:59 PM Nick Couchman <[email protected]> wrote:
> On Fri, Jan 4, 2019 at 10:34 AM JoelB <[email protected]> wrote: > >> Is there any way to implement concurrency limits for connections/users >> defined in LDAP? I've been unable to get LDAP and MySQL to co-operate so >> I've switched to an LDAP-only configuration. However, I need to be able to >> restrict users to logging in to only one machine at a time and clients to >> only allow one connection at a time. >> >> > I do not believe the connection attributes (which includes concurrency) > work from connections defined within the LDAP authentication module. > > It's not so much that they don't work as they aren't implemented. Only the database auth implements the type of tracking necessary for these limits. While it is true that the database auth allows these limits to be maintained/overridden with connection attributes, leveraging connection attributes is only necessary if these limits are to be exposed within the user interface. If concurrency limits were implemented within LDAP, which will presumably remain read-only, the limits could be read internally from LDAP attributes, exposing nothing. I think we would first want to look into extracting the core of the database auth that implements connection tracking, sharing, etc. such that it can be used by other extensions, including downstream extensions. It's a very common need, and implementing reliable connection tracking in a way that doesn't have difficult-to-diagnose race conditions is tricky. - Mike
