http://tools.ietf.org/html/draft-wahl-ldap-session
Might be useful for clients that do connection pooling, or sssd, etc.
I don't think it would help in the load balancer case, especially when using SSL.
Per discussion on the email, set the milestone to FUTURE.
Simo Sorce wrote:
On Mon, 2014-08-18 at 13:16 -0700, Noriko Hosoi wrote: Hello SSSD team, Rich filed an interesting ticket: Ticket #47873 <https://fedorahosted.org/389/ticket/47873> - support LDAP Session Tracking Control http://tools.ietf.org/html/draft-wahl-ldap-session Might be useful for clients that do connection pooling, or sssd, etc. If implemented, could this feature be useful for SSSD? If yes, when / what version of SSSD requires it? Client controlled session information sounds "dangerous" [*], given sssd always authenticates to the server it would be sufficient to allow adding the identity of the (bound) client to the log and optionally a uniquely identifying aspect of the connection (like a hash of srv ip:port + cli ip:port), that will in effect uniquely identify a session without needing input from a client. This feature sounds interesting for a proxy application but while sssd does "proxy" request from multiple processes, it is also a caching layer that diminishes the need for concurrent requests, and requests are mostly on behalf of the "machine" anyway rather than individual users. I've never really felt the need for deeper session tracking but it may just be me. Simo. Client provided information is subject to spoofing, and can be used by impostors to try to conceal their traffic.
On Mon, 2014-08-18 at 13:16 -0700, Noriko Hosoi wrote:
Hello SSSD team, Rich filed an interesting ticket: Ticket #47873 <https://fedorahosted.org/389/ticket/47873> - support LDAP Session Tracking Control http://tools.ietf.org/html/draft-wahl-ldap-session Might be useful for clients that do connection pooling, or sssd, etc. If implemented, could this feature be useful for SSSD? If yes, when / what version of SSSD requires it?
Hello SSSD team,
Rich filed an interesting ticket:
Ticket #47873 <https://fedorahosted.org/389/ticket/47873> - support LDAP Session Tracking Control http://tools.ietf.org/html/draft-wahl-ldap-session Might be useful for clients that do connection pooling, or sssd, etc.
If implemented, could this feature be useful for SSSD? If yes, when / what version of SSSD requires it?
Client controlled session information sounds "dangerous" [*], given sssd always authenticates to the server it would be sufficient to allow adding the identity of the (bound) client to the log and optionally a uniquely identifying aspect of the connection (like a hash of srv ip:port + cli ip:port), that will in effect uniquely identify a session without needing input from a client.
This feature sounds interesting for a proxy application but while sssd does "proxy" request from multiple processes, it is also a caching layer that diminishes the need for concurrent requests, and requests are mostly on behalf of the "machine" anyway rather than individual users.
I've never really felt the need for deeper session tracking but it may just be me.
Simo.
Metadata Update from @nhosoi: - Issue set to the milestone: FUTURE
Metadata Update from @mreynolds: - Custom field reviewstatus adjusted to None - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1204
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.