[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Can I bind to server with DN not on server ?

To: "'Pierangelo Masarati'" <ando@sys-net.it>, "'Tom Riddle'" <ftr@highstreetnetworks.com>
Subject: RE: Can I bind to server with DN not on server ?
From: "Howard Chu" <hyc@symas.com>
Date: Sat, 29 Nov 2003 04:04:31 -0800
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <3FC881D4.7030104@sys-net.it>

> -----Original Message-----
> From: Pierangelo Masarati [mailto:ando@sys-net.it]

> Tom Riddle wrote:
> > Howard Chu wrote:
> >> If you're using OpenLDAP 2.1 or newer, you can use back-ldap for
> >> distributing
> >> the tree instead of using referrals. In this case, all of
> the naming
> >> contexts
> >> will be defined on all of the servers, but some portions
> will be local
> >> databases and some portions will be proxied via back-ldap. So in
> >> effect all
> >> of your binds will always be contained within any of the
> servers' naming
> >> contexts.

> As Tom and I discussed privately, what's basically needed here
> is a mechanism, totally transparent to the client, that allows
> a system administrator to set up the distributed DSA in such
> a way that when a client authenticates to either of the servers,
> its credentials are automatically propagated to those members
> of the distributed DSA where operations need to be propagated:
> a sort of authorization mechanism.  This could be done easily
> by means of a control that allows a proxy to connect to a remote
> server with an administrative identity and ask the remote server
> to replace this identity into that of the client that initiated the
> operation.  The remote server must trust the administrative
> identity (e.g. there must be some permission mechanism that
> allows one identity to become another "lesser" identity; the
> easiest way would be to set up a static "proxydn" in the database
> portion of slapd.conf, but we could also think of some new acl
> permission, or recycle the auth permission).
>
> So, as soon as a client binds to the proxy, and requests an operation
> that needs propagation to a remote server, the proxy should bind
> to the remote server with the administrative identity, authorize
> the client's identity, and reserve that connection to operations for
> that client.
>
> To summarize:
>
> at the proxy side:
> - a (client-side) control on top of bind to change identity
>
> at the remote server side:
> - a (server-side) control on top of bind that changes identity
>   if permitted;
> - a simple permission mechanism, e.g.:
>   * expand ACL auth permission semantics
>   * introduce a new ACL permission (su?)
>   * use a static "proxydn" statement in slapd.conf
>
> I hope I'm not reinventing the wheel, though: thinking about
> the proxyauth mechanism.

You'll see that I went down pretty much this path on openldap-devel several
months ago. But the notion of a proxyAuth control for Bind was rejected.

The OpenLDAP 2.2 back-ldap can handle most of what's needed here, since it
supports connection sharing already. The only piece missing is the use of the
proxyAuth control for the proxied requests, which shouldn't be too hard to
add.

Proxy authorization policy is already controlled using the sasl-authz-policy
directive and its associated attributes. I don't see any reason to introduce
a new permission mechanism here.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- Re: Can I bind to server with DN not on server ?
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: Can I bind to server with DN not on server ?
Next by Date: RE: BDB 4.2.50 [finally] available
Index(es):
- Chronological
- Thread