[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Meta Idassert-bind

To: Andrew Graham <andrew.graham@agustawestland.com>
Subject: Re: Meta Idassert-bind
From: Pierangelo Masarati <ando@sys-net.it>
Date: Thu, 31 Jul 2008 20:42:07 +0200 (CEST)
Cc: openldap-software@openldap.org
In-reply-to: <s891d1ac.040@tungsten.whl.co.uk>

----- "Andrew Graham" <andrew.graham@agustawestland.com> wrote:

> ***  Before acting on this email or opening any attachment you are
> advised to read the disclaimer at the end of this email ***
> 
> I've re-read my original message and it didn't make alot of sense. So
> here's take two!
> 
> I'm using back-meta to attempt to amalgamate several ldap servers
> into
> one single tree. This should cater for users that exist only in a
> local
> BDB database, and also for users with accounts in one of the target
> ldap
> servers. If I say 'local' or 'remote' user at any point, I'm
> referring
> to users stored in the local bdb database or a remote ldap server
> respectively. I shall refer to the local openldap server as the proxy
> server.
> 
> The meta database is subordinate to the local database. This allows
> me
> to have a base record for the entire directory.
> 
> Everything works perfectly for targets that don't require a bind
> before
> searching. For targets that do require a successful bind, I've been
> trying to use the 'idassert-bind' feature with mixed results. The
> following is a description of the behaviour I am trying to achieve:
> 
> If a local user binds to the proxy server, and performs a query with
> one or more targets in scope, then the proxy server should use
> predefined credentials to bind to and search only the targets in
> scope
> on behalf of the local user.
> 
> If a remote user binds to the proxy server, and performs a query
> affecting only the target where that user is stored, then the proxy
> server should bind to that target using the credentials supplied by
> the
> remote user. If there are any other targets in the scope of the
> query,
> openldap should not attempt to use the predefined credentials to bind
> to
> and search on that target.
> 
> To try to achieve this, I have placed all local users in their own
> branch of the tree, and set the 'idassert-authzFrom' for each target
> to
> match this branch only, thus preventing remote users from using the
> idassert feauture and barring them from querying other targets than
> their own. 
> 
> Here is the first of two 'interesting' results. If I bind to the
> proxy
> server as a remote user with multiple targets in scope, the bind is
> proxied to the remote user's target correctly. The proxy then
> proceeds
> to attempt to bind to the other targets in scope using seemingly
> random
> names. Some examples (captured with wireshark) are '\270+1\b',
> '\250\202/\b\005', '\220\241\322\267\220\241\322\267\020' and
> 'x\267.\b'. The name changes every time, but each time no password is
> provided. The proxy will not attempt to search any of the targets
> after
> binding, even the target to which the user belongs.
> 
> I'm not sure I understand the purpose of the 'non-prescriptive' flag,
> but if I set it on each target (as Pierangelo suggested previously),
> the
> unusual behaviour changes. When binding with a remote user, the proxy
> will correctly bind to the target to which the remote user belongs
> using
> the remote users credentials. If another target is in scope, the
> proxy
> will attempt to bind to it without name or password. The proxy will
> proceed to search the targets. This is fine for my situation, but I
> would like to understand why this happens?
> 
> The second problem I'm having is with the local users. If the
> 'network-timeout' statement is used in the meta database definition,
> whenever a local user binds to the proxy and queries one or more of
> the
> target servers, the proxy will attempt to bind to the targets with
> the
> predefined name but with no password. If network-timeout is not
> specified, the proxy binds with both the predefined name and password
> to
> every target in scope. Is this behaviour intended or a bug? 

I think your explanation is clear enough, provided some of the behaviours you describe are quite unexpected.  There seems to be quite a few bugs in this feature.  Unfortunately, I won't be able to work at it in the next few days, you'll need to wait at least until the end of next week.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

References:
- Re: Meta Idassert-bind
  - From: "Andrew Graham" <andrew.graham@agustawestland.com>

Prev by Date: Re: back-sql using varchar keyvals and ids
Next by Date: RE: slapd does not start, where do I find the error?
Index(es):
- Chronological
- Thread