Antw: Re: [patch]2 : mod_auth_ldap doesn't effectively use the cache with"require user User1 User2 .." dir

[Andre Schild <A....@aarboard.ch>]

> trapkov@netscape.net 16.03.2003 21:45:12 >>>
>>Graham Leggett <mi...@sharp.fm> wrote:

>Then your idea to use "'s and have only one check is probably a
solution 
>or we can have an extra option to specify how this "require user User1
User2 .."
> to be interpreted - as a single value or as a list of values.
I'm against yet another option, because we can't guarantee
correct behaviour if the quotes are turned off.

Better when we find a " in the line, use those as quotes.
If no " are found, then use the blanks as separarators. (And this 
automatically disallows usernames with blanks in them.)

>BTW, how the other apache authentication modules treat this
situation?
Good question....

>If first all values are checked against the cache and then if we 
>don't find a match we go to the LDAP - this will make the 
>cache used properly - no ldap requests sent if we have cached 
>the positive result, the negative results are not cached anyway.
> I don't see negative cacheing.
The only advantage a negative caching would provide is (slightly) a
better
handling of DOS attacks. Of course a DOS attack is still possible
when requestings user1, user2.... user99999

Of course a negative cache should have a "short" cache lifetime.
3-5 minutes or so.

André

aarboard ag
internet - networks - screen&print design - multimedia
Egliweg 10 - Postfach 214 - CH-2560 Nidau (Switzerland)
Phone +41 32 332 9714 - Fax +41 32 332 9715
www.aarboard.ch - a.schild@aarboard.ch