Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   slapo-pcache    ( 5 )

наложение прокси-кеша на slapd (proxy cache overlay to slapd)
  Name  |  Synopsis  |  Description  |  Backward compatibility  |    Caveat    |  Files  |  See also  |

Предостережение (Caveat)

Caching data is prone to inconsistencies because updates on the
       remote server will not be reflected in the response of the cache
       at least (and at most) for the duration of the pcacheTemplate
       TTL.  These inconsistencies can be minimized by careful use of
       the TTR.


       The proxy cache overlay requires a full result set of data to
       properly function. Therefore it will strip out the paged results
       control if it is requested by the client.


       The remote server should expose the objectClass attribute because
       the underlying database that actually caches the entries may need
       it for optimal local processing of the queries.


       The proxy server should contain all the schema information
       required for caching.  Significantly, it needs the schema of
       attributes used in the query templates.  If the objectClass
       attribute is used in a query template, it needs the definition of
       the objectClasses of the entries it is supposed to cache.  It is
       the responsibility of the proxy administrator to keep the proxy
       schema lined up with that of the proxied server.


       Another potential (and subtle) inconsistency may occur when data
       is retrieved with different identities and specific per-identity
       access control is enforced by the remote server.  If data was
       retrieved with an identity that collected only partial results
       because of access rules enforcement on the remote server, other
       users with different access privileges on the remote server will
       get different results from the remote server and from the cache.
       If those users have higher access privileges on the remote
       server, they will get from the cache only a subset of the results
       they would get directly from the remote server; but if they have
       lower access privileges, they will get from the cache a superset
       of the results they would get directly from the remote server.
       Either occurrence may or may not be acceptable, based on the
       security policy of the cache and of the remote server.  It is
       important to note that in this case the proxy is violating the
       security of the remote server by disclosing to an identity data
       that was collected by another identity.  For this reason, it is
       suggested that, when using back-ldap, proxy caching be used in
       conjunction with the identity assertion feature of slapd-ldap(5)
       (see the idassert-bind and the idassert-authz statements), so
       that remote server interrogation occurs with a vanilla identity
       that has some relatively high search and read access privileges,
       and the "real" access control is delegated to the proxy's ACLs.
       Beware that since only the cached fraction of the real datum is
       available to the cache, it may not be possible to enforce the
       same access rules that are defined on the remote server.  When
       security is a concern, cached proxy access must be carefully
       tailored.