mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
add a caveat on access control issues
This commit is contained in:
parent
6b93c656a1
commit
dcdd2a567a
@ -133,7 +133,52 @@ cachesize 100
|
|||||||
.RE
|
.RE
|
||||||
.LP
|
.LP
|
||||||
Any valid directives for the chosen database type may be used.
|
Any valid directives for the chosen database type may be used.
|
||||||
|
.SH CAVEATS
|
||||||
|
Caching data is prone to inconsistencies because updates on the remote server
|
||||||
|
will not be reflected in the response of the cache at least (and at most)
|
||||||
|
for the duration of the
|
||||||
|
.B proxytemplate
|
||||||
|
.BR TTL .
|
||||||
|
|
||||||
|
Another potential (and subtle) inconsistency may occur when data is retrieved
|
||||||
|
with different identities and specific per-identity access control
|
||||||
|
is enforced by the remote server.
|
||||||
|
If data was retrieved with an identity that collected only partial results
|
||||||
|
because of access rules enforcement on the remote server, other users
|
||||||
|
with different access privileges on the remote server will get different
|
||||||
|
results from the remote server and from the cache.
|
||||||
|
If those users have higher access privileges on the remote server, they will
|
||||||
|
get from the cache only a subset of the results they would get directly
|
||||||
|
from the remote server; but if they have lower access privileges, they will
|
||||||
|
get from the cache a superset of the results they would get directly
|
||||||
|
from the remote server.
|
||||||
|
Either occurrence may or may not be acceptable, based on the security policy
|
||||||
|
of the cache and of the remote server.
|
||||||
|
It is important to note that in this case the proxy is violating the security
|
||||||
|
of the remote server by disclosing to an identity data that was collected
|
||||||
|
by another identity.
|
||||||
|
For this reason, it is suggested that, when using
|
||||||
|
.BR back-ldap ,
|
||||||
|
proxy caching be used in conjunction with the
|
||||||
|
.I identity assertion
|
||||||
|
feature of
|
||||||
|
.BR slapd-ldap (5)
|
||||||
|
(see the
|
||||||
|
.B idassert-bind
|
||||||
|
and the
|
||||||
|
.B idassert-authz
|
||||||
|
statements), so that remote server interrogation occurs with a vanilla identity
|
||||||
|
that has some relatively high
|
||||||
|
.B search
|
||||||
|
and
|
||||||
|
.B read
|
||||||
|
access privileges, and the "real" access control is delegated to the proxy's ACLs.
|
||||||
|
Beware that since only the cached fraction of the real datum is available
|
||||||
|
to the cache, it may not be possible to enforce the same access rules that
|
||||||
|
are defined on the remote server.
|
||||||
|
When security is a concern, cached proxy access must be carefully tailored.
|
||||||
.SH FILES
|
.SH FILES
|
||||||
|
|
||||||
.TP
|
.TP
|
||||||
ETCDIR/slapd.conf
|
ETCDIR/slapd.conf
|
||||||
default slapd configuration file
|
default slapd configuration file
|
||||||
|
Loading…
Reference in New Issue
Block a user