-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Frédéric,
On 4/22/14, 12:38 PM, Frédéric Poliquin wrote: > Passwords are protected using standard SSL. Eventually, the plan > is to move towards OAuth 2.0 with a cookie/security token but until > then I needed a quick solution... > > For the other question, Apache httpd has an authentication cache > which prevents going to Active Directory every time which is not > linked to any session. It is documented here: > http://httpd.apache.org/docs/current/mod/mod_ldap.html#cache For those readers who don't feel like reading/understanding the documentation, what Frédéric is leaving unsaid is that mod_ldap caches the results of various lookups. It's somewhat important to note that the authentication information itself is not cached: there is no LDAP token or anything like that that survives across individual requests from a client. Instead, the result of a particular lookup are cached. This means that if the user changes their password or the group-membership changes on the LDAP side, httpd won't know about those changes and therefore old credentials are still valid, old group-based authentication checks will yield invalid authentication decisions based upon the canonical LDAP service's view of the world. This may not be a big deal to you, but it's important to note that it is a side-effect of such caching. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTVsAqAAoJEBzwKT+lPKRYdL8QAMJMVxPYeL3+DZjrAw+hfynM IJEeJyWipE1yQOMi5L4m7E3Kt1F5z4MmkacRfr8FPddZ/bsJ7xphChzZxcGcHm2I 4TnIVYyjzBnI+3fdtPLhAMY9X8awlWiurAKSpm4iOpY2f3GTor2ypLCoU5csy0lp E6QFMuGfsYVNCVcMkBo9LtlgViTJ9ov3pFw+PF6KhyA7x/pyUetrD7Qe7fNKlkq3 F9Z/a+GgkHGhNt6/f5zoD41QVml7P0fWjA4h0xELdO/hdgaQhl8UEoC37EIzIQMk ZvqrqusBcopWbYghj1TZERsdISDVZnYVewOwqyCXU8x/GaYyEBCJt6BSnJh1LwK+ z7tOA5ho5NLZjUM0mKSfOuWE74ceAQGiVIZrgql8Oae2a4vLHO8/WHwhgkOmEWHN ZiIzf/4qttq7grzXDGi/0Rqqa+Xh2SIpSETh95dd8lP+E9YnJw4WocbA75hecckK 1FI7KM9e59BP6Tm+jfDwGu9nO2jCDUvaZhqthljevXhmE9ICaxmnXmfxQPzQhakl c7BNWLUiDjyXUHu09M/biVZ3eF9eQ8HwqPxLTDvtpaVoFZouZXYt3Dz8dxVZN3+t rLSv2H7kGr5xXcoo1VXEseFQgB77OSzj28X/Ugt3vwwcdYz/nnV9LxT+OfAKyXws BOLoKK1fI7/Fu6KWhk/4 =YV7b -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
