MAN page from StartCom 5 openldap-servers-overlays-2.3.43-12.SEL5_5.i386.rpm


Section: File Formats (5)
Updated: 2008/07/16


slapo-pcache - proxycache overlay 




Thepcacheoverlay toslapd(8)allows caching of LDAP search requests (queries) in a local database.For an incoming query, theproxy cache determines its corresponding template. If the templatewas specified as cacheable using the proxytemplate directiveand the request is contained in a cached request, it is answered from the proxy cache.Otherwise, the search is performed as usual and cacheable search results are saved in the cache for use in future queries.

A template is defined by a filter string and an index identifying a set ofattributes. The template string for a query can be obtained byremoving assertion values from the RFC 2254 representation of its searchfilter. A query belongs to a template if its template string and set ofprojected attributes correspond to a cacheable template.Examples of template strings are (mail=), (|(sn=)(cn=)),(&(sn=)(givenName=)).

The config directives that are specific to theproxycacheoverlay can be prefixed byproxycache-,to avoid conflicts with directives specific to the underlying databaseor to other stacked overlays. This may be particularly useful for thosedirectives that refer to the backend used for local storage.The following cache specific directives can be used to configure the proxycache:

overlay pcache
This directive adds the proxy cache overlay to the current backend. Theproxy cache overlay may be used with any backend but is intended for usewith theldap,meta,andsqlbackends.
proxycache <database> <max_entries> <numattrsets> <entry_limit> <cc_period>
The directive enables proxy caching in the current backend and sets generalcache parameters. A <database> backend will be used internally to maintainthe cached entries. The chosen database will need to be configured as well,as shown below. Cache replacement is invoked when the cache size grows to <max_entries> entries and continues till the cache size drops below this size.<numattrsets> should be equal to the number of following proxyattrsetdirectives. Queries are cached only if they correspond to a cacheable template(specified by the proxytemplate directive) and the number of entriesreturned is less than <entry_limit>. Consistency check is performed every<cc_period> duration (specified in secs). In each cycle queries with expired"time to live(TTL)" are removed. A sample cache configuration is:

proxycache bdb 10000 1 50 100
proxycachequeries <queries>
Specify the maximum number of queries to cache. The default is 10000.

proxyattrset <index> <attrs...>
Used to associate a set of attributes <attrs..> with an <index>. Each attributeset is associated with an integer from 0 to <numattrsets>-1. These indices areused by the proxytemplate directive to define cacheable templates.

proxytemplate <template_string> <attrset_index> <ttl> [<negttl>]
Specifies a cacheable template and "time to live" (in sec) <ttl> of queries belonging to the template. An optional <negttl> can be used to specifythat negative results (i.e., queries that returned zero entries)should also be cached for the specified number of seconds. Negativeresults are not cached by default.

response-callback { head | tail }
Specifies whether the response callback should be placed at thetail(the default) or at the head(actually, wherever the stacking sequence would make it appear) of the callback list. This affects how the overlay interacts with otheroverlays, since the proxycache overlay should be executed as early as possible (and thus configured as late as possible), to get a chance to return the cached results; however, if executed earlyat response, it would cache entries that may be later "massaged"by other databases and thus returned after massaging the firsttime, and before massaging when cached.

There are some constraints:

all values must be positive;

<entry_limit>must be less than or equal to<max_entries>;

<numattrsets>attribute sets SHOULD be defined by using the directiveproxyattrset;

all attribute sets SHOULD be referenced by (at least) oneproxytemplatedirective;

The following adds a template with filter string (&(sn=)(givenName=)) and attributes mail, postaladdress, telephonenumber and a TTL of 1 hour.

proxyattrset 0 mail postaladdress telephonenumberproxytemplate (&(sn=)(givenName=)) 0 3600

Directives for configuring the underlying database must also be given, asshown here:

directory /var/tmp/cachecachesize 100

Any valid directives for the chosen database type may be used. Indexingshould be used as appropriate for the queries being handled. In addition,an equality index on the queryid attribute should be configured, toassist in the removal of expired query data. 


Caching data is prone to inconsistencies because updates on the remote serverwill not be reflected in the response of the cache at least (and at most)for the duration of theproxytemplateTTL.

The remote server should expose theobjectClass attribute because the underlying database that actually caches the entries may need it for optimal local processing of the queries.

Another potential (and subtle) inconsistency may occur when data is retrieved with different identities and specific per-identity access controlis enforced by the remote server.If data was retrieved with an identity that collected only partial resultsbecause of access rules enforcement on the remote server, other userswith different access privileges on the remote server will get differentresults from the remote server and from the cache.If those users have higher access privileges on the remote server, they will get from the cache only a subset of the results they would get directly from the remote server; but if they have lower access privileges, they will get from the cache a superset of the results they would get directly from the remote server.Either occurrence may or may not be acceptable, based on the security policyof the cache and of the remote server.It is important to note that in this case the proxy is violating the securityof the remote server by disclosing to an identity data that was collected by another identity.For this reason, it is suggested that, when usingback-ldap,proxy caching be used in conjunction with the identity assertionfeature ofslapd-ldap(5)(see theidassert-bindand theidassert-authzstatements), so that remote server interrogation occurs with a vanilla identity that has some relatively highsearchandreadaccess privileges, and the "real" access control is delegated to the proxy's ACLs.Beware that since only the cached fraction of the real datum is availableto the cache, it may not be possible to enforce the same access rules thatare defined on the remote server.When security is a concern, cached proxy access must be carefully tailored. 


default slapd configuration file




Originally implemented by Apurva Kumar as an extension to back-meta;turned into an overlay by Howard Chu.




This document was created byman2html,using the manual pages.