slapo-pcache(5)


NAME

   slapo-pcache - proxy cache overlay to slapd

SYNOPSIS

   /etc/ldap/slapd.conf

DESCRIPTION

   The  pcache  overlay to slapd(8) allows caching of LDAP search requests
   (queries) in a local database.  For an incoming query, the proxy  cache
   determines its corresponding template. If the template was specified as
   cacheable  using  the  pcacheTemplate  directive  and  the  request  is
   contained  in  a  cached  request, it is answered from the proxy cache.
   Otherwise, the search  is  performed  as  usual  and  cacheable  search
   results are saved in the cache for use in future queries.

   A template is defined by a filter string and an index identifying a set
   of attributes. The template string for  a  query  can  be  obtained  by
   removing  assertion  values  from  the  RFC  4515 representation of its
   search filter. A query belongs to a template if its template string and
   set  of  projected  attributes  correspond  to  a  cacheable  template.
   Examples   of   template   strings    are    (mail=),    (|(sn=)(cn=)),
   (&(sn=)(givenName=)).

   The  config  directives  that are specific to the pcache overlay can be
   prefixed by pcache-, to avoid conflicts with directives specific to the
   underlying  database  or  to  other  stacked  overlays.   This  may  be
   particularly useful for those directives that refer to the backend used
   for local storage.  The following cache specific directives can be used
   to configure the proxy cache:

   overlay pcache
          This directive adds the  proxy  cache  overlay  to  the  current
          backend.  The  proxy  cache overlay may be used with any backend
          but is intended for use with the ldap, meta, and  sql  backends.
          Please  note  that the underlying backend must have a configured
          rootdn.

   pcache <database> <max_entries> <numattrsets> <entry_limit> <cc_period>
          The directive enables proxy caching in the current  backend  and
          sets general cache parameters. A <database> backend will be used
          internally to maintain the cached entries. The  chosen  database
          will  need  to  be  configured  as  well,  as shown below. Cache
          replacement  is  invoked  when   the   cache   size   grows   to
          <max_entries>  entries  and  continues till the cache size drops
          below this size.  <numattrsets> should be equal to the number of
          following  pcacheAttrset  directives. Queries are cached only if
          they correspond  to  a  cacheable  template  (specified  by  the
          pcacheTemplate  directive) and the number of entries returned is
          less than <entry_limit>. Consistency check  is  performed  every
          <cc_period>  duration (specified in secs). In each cycle queries
          with expired "time to live(TTL)" are  removed.  A  sample  cache
          configuration is:

          pcache bdb 10000 1 50 100

   pcacheAttrset <index> <attrs...>
          Used to associate a set of attributes <attrs..> with an <index>.
          Each attribute set is associated  with  an  integer  from  0  to
          <numattrsets>-1.  These  indices  are used by the pcacheTemplate
          directive to define cacheable templates.  A  set  of  attributes
          cannot  be  empty.   A set of attributes can contain the special
          attributes "*"  (all  user  attributes),  "+"  (all  operational
          attributes)  or both; in the latter case, any other attribute is
          redundant  and  should  be  avoided  for  clarity.   A  set   of
          attributes  can  contain  "1.1"  as  the only attribute; in this
          case, only the presence of the entries  is  cached.   Attributes
          prefixed by "undef:" need not be present in the schema.

   pcacheMaxQueries <queries>
          Specify  the  maximum number of queries to cache. The default is
          10000.

   pcacheValidate { TRUE | FALSE }
          Check whether the results of a query being cached  can  actually
          be  returned from the cache by the proxy DSA.  When enabled, the
          entries being returned while caching the results of a query  are
          checked to ensure consistency with the schema known to the proxy
          DSA.  In case of failure, the query is not cached.  By  default,
          the check is off.

   pcacheOffline { TRUE | FALSE }
          Set  the  cache  to offline mode. While offline, the consistency
          checker will be stopped and  no  expirations  will  occur.  This
          allows  the  cache  contents  to  be used indefinitely while the
          proxy is cut off from network access to  the  remote  DSA.   The
          default  is  FALSE, i.e. consistency checks and expirations will
          be performed.

   pcachePersist { TRUE | FALSE }
          Specify whether  the  cached  queries  should  be  saved  across
          restarts  of  the  caching  proxy, to provide hot startup of the
          cache.  Only non-expired queries are reloaded.  The  default  is
          FALSE.

          CAVEAT: of course, the configuration of the proxy cache must not
          change across restarts; the pcache overlay does not perform  any
          consistency checks in this sense.  In detail, this option should
          be disabled unless the existing pcacheAttrset and pcacheTemplate
          directives are not changed neither in order nor in contents.  If
          new sets and templates are added, or if  other  details  of  the
          pcache overlay configuration changed, this feature should not be
          affected.

   pcacheTemplate  <template_string>   <attrset_index>   <ttl>   [<negttl>
   [<limitttl> [<ttr>]]]
          Specifies  a  cacheable  template  and  "time  to live" <ttl> of
          queries belonging to the template. An optional <negttl>  can  be
          used  to  specify  that  negative  results  (i.e.,  queries that
          returned zero entries) should also be cached for  the  specified
          amount  of  time.  Negative  results  are  not cached by default
          (<negttl> set to 0).  An optional  <limitttl>  can  be  used  to
          specify  that  results hitting a sizelimit should also be cached
          for the specified amount of time.  Results hitting  a  sizelimit
          are  not  cached  by default (<limitttl> set to 0).  An optional
          <ttr> "time to refresh" can  be  used  to  specify  that  cached
          entries  should be automatically refreshed after a certain time.
          Entries will only be refreshed while they have not  expired,  so
          the  <ttl> should be larger than the <ttr> for this option to be
          useful. Entries are not refreshed by default (<ttr> set to 0).

   pcacheBind <filter_template> <attrset_index> <ttr> <scope> <base>
          Specifies a template for caching Simple Bind  credentials  based
          on  an  already defined pcacheTemplate. The <filter_template> is
          similar to a <template_string> except  that  it  may  have  some
          values  present. Its purpose is to allow the overlay to generate
          filters similar to what other applications do  when  they  do  a
          Search  immediately  before  a  Bind.  E.g.,  if  a  client like
          nss_ldap is configured to search for  a  user  with  the  filter
          "(&(objectClass=posixAccount)(uid=<username>))"     then     the
          corresponding   template   "(&(objectClass=posixAccount)(uid=))"
          should  be  used here. When converted to a regular template e.g.
          "(&(objectClass=)(uid=))" this template and the  <attrset_index>
          must  match  an already defined pcacheTemplate clause. The "time
          to refresh" <ttr> determines the time interval after  which  the
          cached credentials may be refreshed. The first Bind request that
          occurs  after  that  time  will  trigger  the  refresh  attempt.
          Refreshes  are  not performed when the overlay is Offline. There
          is no "time to live" parameter for  the  Bind  credentials;  the
          credentials will expire according to the pcacheTemplate ttl. The
          <scope> and <base> should match the search scope and  base  used
          by  the  authentication  clients. The cached credentials are not
          stored in cleartext, they are hashed using the default  password
          hash.  By default Bind caching is not enabled.

   pcachePosition { head | tail }
          Specifies  whether the response callback should be placed at the
          tail (the default)  or  at  the  head  (actually,  wherever  the
          stacking  sequence  would  make it appear) of the callback list.
          This affects how the  overlay  interacts  with  other  overlays,
          since  the  proxycache  overlay  should  be executed as early as
          possible (and thus configured as late as  possible),  to  get  a
          chance  to return the cached results; however, if executed early
          at response, it would cache entries that may be later "massaged"
          by  other  databases and thus returned after massaging the first
          time, and before massaging when cached.

   There are some constraints:

          all values must be positive;

          <entry_limit> must be less than or equal to <max_entries>;

          <numattrsets> attribute sets SHOULD  be  defined  by  using  the
          directive pcacheAttrset;

          all  attribute  sets  SHOULD  be  referenced  by  (at least) one
          pcacheTemplate directive;

   The following adds a template with filter  string  (&(sn=)(givenName=))
   and  attributes  mail,  postaladdress,  telephonenumber  and a TTL of 1
   hour.

          pcacheAttrset 0 mail postaladdress telephonenumber
          pcacheTemplate (&(sn=)(givenName=)) 0 3600

   Directives for configuring the underlying database must also be  given,
   as shown here:

          directory /var/tmp/cache
          cachesize 100

   Any valid directives for the chosen database type may be used. Indexing
   should be used  as  appropriate  for  the  queries  being  handled.  In
   addition,  an  equality  index on the pcacheQueryid attribute should be
   configured, to assist in the removal of expired query data.

BACKWARD COMPATIBILITY

   The configuration keywords have been renamed  and  the  older  form  is
   deprecated. These older keywords are still recognized but may disappear
   in future releases.

   proxycache
          use pcache

   proxyattrset
          use pcacheAttrset

   proxycachequeries
          use pcacheMaxQueries

   proxycheckcacheability
          use pcacheValidate

   proxysavequeries
          use pcachePersist

   proxytemplate
          use pcacheTemplate

   response-callback
          use pcachePosition

CAVEATS

   Caching data is prone to inconsistencies because updates on the  remote
   server will not be reflected in the response of the cache at least (and
   at  most)  for  the  duration  of  the   pcacheTemplate   TTL.    These
   inconsistencies can be minimized by careful use of the TTR.

   The  remote  server should expose the objectClass attribute because the
   underlying database that actually caches the entries may  need  it  for
   optimal local processing of the queries.

   The proxy server should contain all the schema information required for
   caching.  Significantly, it needs the schema of attributes used in  the
   query  templates.   If  the  objectClass  attribute  is used in a query
   template, it needs the definition of the objectClasses of  the  entries
   it  is  supposed  to  cache.   It  is  the  responsibility of the proxy
   administrator to keep the proxy  schema  lined  up  with  that  of  the
   proxied server.

   Another  potential  (and  subtle)  inconsistency may occur when data is
   retrieved with different identities and  specific  per-identity  access
   control  is  enforced by the remote server.  If data was retrieved with
   an identity that collected only partial results because of access rules
   enforcement  on  the  remote  server, other users with different access
   privileges on the remote server will get  different  results  from  the
   remote  server  and  from the cache.  If those users have higher access
   privileges on the remote server, they will get from the  cache  only  a
   subset  of  the results they would get directly from the remote server;
   but if they have lower access privileges, they will get from the  cache
   a  superset  of  the  results  they  would get directly from the remote
   server.  Either occurrence may or may not be acceptable, based  on  the
   security policy of the cache and of the remote server.  It is important
   to note that in this case the proxy is violating the  security  of  the
   remote  server  by disclosing to an identity data that was collected by
   another identity.  For this reason, it is suggested  that,  when  using
   back-ldap,  proxy  caching  be  used  in  conjunction with the identity
   assertion feature of  slapd-ldap(5)  (see  the  idassert-bind  and  the
   idassert-authz  statements), so that remote server interrogation occurs
   with a vanilla identity that has some relatively high search  and  read
   access  privileges,  and  the "real" access control is delegated to the
   proxy's ACLs.  Beware that since only the cached fraction of  the  real
   datum  is available to the cache, it may not be possible to enforce the
   same access rules that are defined on the remote server.  When security
   is a concern, cached proxy access must be carefully tailored.

FILES

   /etc/ldap/slapd.conf
          default slapd configuration file

SEE ALSO

   slapd.conf(5),     slapd-config(5),    slapd-ldap(5),    slapd-meta(5),
   slapd-sql(5), slapd(8).

AUTHOR

   Originally implemented by Apurva Kumar as an  extension  to  back-meta;
   turned into an overlay by Howard Chu.





Opportunity


Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.

Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.





Free Software


Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.


Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.





Free Books


The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.


Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.





Education


Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.


Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.