On Thu, 9 Jan 2003, Jeremy Rumpf wrote: > > On Thursday 09 January 2003 03:55 pm, Paul M Fleming wrote: > > Timing out the passwords is simple ( I think ) I would store the time > > when the entry is added and force a reauth if the password has been > > cached longer than a timeout (for example one hour ). That forces a > > reauth at least every timeout period of time. If an entry isn't in the > > cache (or if it is different the entry would be removed and ) a reauth > > would be forced. Every successfull auth would be added to the cache. > > > > Some time ago I wrote a plugin for the Netscape/iPlanet Directory server that > intercepted bind authentications and passed them off to a kerberos backend. > It allowed us to integrate LDAP services with our Kerberos environment. > Anyhow, it implemented just this, with the timeouts and all. I also > implemented a checkpoint feature where the hash table was periodically dumped > to a file. That way if you restarted the LDAP server you wouldn't lose you're > cached entries. You can grab a copy of the plugin at: > > ftp://ftp.net.ohio-state.edu/pub/users/jrumpf/krbdirp-1.2.0.tar.gz > > Look in the file krbdirp.c, specifically at the function > validate_with_cache(). The text file CACHE also has some thoughts and ideas. > > The LDAP directory was used for an iPlanet mail setup to store user > information. The idea of the credential cache has worked quite well. > Implementing it for saslauthd would be a nice feature. > > I'd be more than willing to help/contribute to the effort. > > Cheers, > Jeremy >
I agree. I know Simon would like this feature. :) Openldap APIs have client side cache, but I think it has some issues. saslauthd needs to remain a 'light' process. It is really a helper program for 'big' servers such as cyrus, sendmail, postfix, etc.. You might want to check out http://www.ossp.org/pkg/lib/mm/ for a portable IPC library. -- Igor
