Hi, I'm using slapd 2.3.27 as a metadirectory with two external active directory servers and pcache overlay enabled. The pcache overlay is working ok, but when I do a non-anonymous search and slapd gets the results from local cache, it establishes a new connection to the external directory, tries to bind and then closes the connection. Altough I understand that this is the logical behaviour, I'm looking for some way to avoid this binding against the external directory if the results of the search are going to be obtained from slapd cache, in order to increase performance (in my scenario validating credentials for cached results is not a priority).
If that is not possible, i'd like to know if there is a way to make slapd stablish a permanent connection to the external directory with the purpose of doing those credentials validations (instead establishing a new tcp connection on every search).
Thank you in advance.
Daniel Montero Motilla wrote:
Hi, I'm using slapd 2.3.27 as a metadirectory with two external active directory servers and pcache overlay enabled. The pcache overlay is working ok, but when I do a non-anonymous search and slapd gets the results from local cache, it establishes a new connection to the external directory, tries to bind and then closes the connection. Altough I understand that this is the logical behaviour, I'm looking for some way to avoid this binding against the external directory if the results of the search are going to be obtained from slapd cache, in order to increase performance (in my scenario validating credentials for cached results is not a priority).
It is not possible.
If that is not possible, i'd like to know if there is a way to make slapd stablish a permanent connection to the external directory with the purpose of doing those credentials validations (instead establishing a new tcp connection on every search).
No. Binds are always performed on a freshly created connection, there's little to do with it.
The only possible solution I see in your case is modifying slapo-pcache so that it also caches binds (with all the security concerns this may imply); in that case, an attempt to lookup the bindDN locally should take place before contacting the remote server and, in case of success, identity assertion should be used if the subsequent search is not cached; if the bindDN is not cached, after a successful simple bind, the overlay should save a "glue" entry with the bindDN and the password (possibly encrypted).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
2006/10/16, Pierangelo Masarati ando@sys-net.it:
The only possible solution I see in your case is modifying slapo-pcache so that it also caches binds (with all the security concerns this may imply); in that case, an attempt to lookup the bindDN locally should take place before contacting the remote server and, in case of success, identity assertion should be used if the subsequent search is not cached; if the bindDN is not cached, after a successful simple bind, the overlay should save a "glue" entry with the bindDN and the password (possibly encrypted).
My case is even more simple, because the bindDN the client will use is always the same, so based on your suggestion I'm thinking about doing something like this:
- Implement 'bind' operation on pcache overlay so it always returns success to frontend. - Substitute 'meta' backend with multiple instances of 'slapd' backend - Configure 'slapd' backend so it always does identity assertion using mode 'self'
Do you think I'm on the right way?
Regards,
Dani.
openldap-software@openldap.org