masarati@aero.polimi.it wrote:
Note that the SSSVLV overlay can handle paged results locally too, thus negating any need for back-ldap/back-meta to forward it to a remote server. Obviously for greatest generality, there needs to be a way to configure which set of controls to pass through, and which to process locally. (Much like back-ldap's option to process the WhoAmI exop...)
Right. With proxies the problem is twofold:
a) clients request pr because they think they're talking to AD
b) the proxy may need to use pr even if the client does not request it, because it knows it's talking to AD
In (a), the issue could be handled the way sssvlv does, relieving the proxy from having to deal with server-side pr; this would be extremely beneficial, for example, for back-meta
In (b), the proxy could be configured to use pr the way I mentioned above; in principle, the proxy could be so clever to avoid using pr, and simply accept to handle unrequested pr responses, but only if instructed to do so.
Filtering what controls are passed thru should be easy, since both proxy backends always call ldap_back_controls_add()/meta_back_controls_add() to muck with request controls (usually to add proxied authorization and so); this function could easily strip or add pr if instructed to do so.
Should also revisit ITS#4591 while thinking about this.
-
hyc@symas.com