-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate LDAP support #246
Comments
This is an interesting potential feature. I think that caching is key here, because there's no particular reason to suppose that C++ LDAP lookups will be much faster than Lua LDAP lookups. Both delay the Lua call enormously. What might be better is a pre-call to LDAP before Lua is called, and the results passed to Lua. |
BTW @sshipway are you aware of the ability to lookup arbitrary LDAP data from Dovecot and pass that information to weakforce? That may give you what you want, without the need to do LDAP lookups in weakforced. See the example of "attrs/cos=%{userdb:cos}" in https://wiki.dovecot.org/Authentication/Policy |
Yes, I know about doing ldap retrievals per-user in Dovecot; however weakforced is wider than dovecot, and we also call it from AppSuite, Momentum and potentially other applications in the future; plus the use case I'm thinking about is where you might have per-domain limit options, which would be a separate LDAP lookup to the userdb. We have multiple customers who may wish to set per-domain thresholds over all of their mailbox domain at once. As you said, the caching is the key (though having a native function would make the coding easier), including negative caching, to speed things up. Being able to set a positive and negative lookup cache time, plus cache size (and to extract stats on cache occupancy and hit rate for tuning) would be good. |
Feature request -
It would be useful to have support for LDAP lookups integrated into Weakforced.
Although we can currently make LDAP queries by using the Lua LDAP module, this can be relatively slow, particularly when you're trying to make a fast allow() function call. An integrated LDAP lookup (similar to the integrated DNS lookup) could have caching (both positive and negative) to help speed things up, and better timeout handling; this would potentially allow people to configure per-account thresholds in their rules without performance problems.
The text was updated successfully, but these errors were encountered: