Logged in as guest
Viewing Software Enhancements/6518 Full headers
Major security issue: yes no
Notes: needs distproc Notification:
Date: Tue, 13 Apr 2010 08:06:21 +0000 From: udorta@iac.es To: openldap-its@OpenLDAP.org Subject: Slapd-ldap proxy between replica and mirror
Full_Name: Ubay Dorta Version: 2.4.21 OS: Suse Linux Enterprise Server 10 SP2 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (161.72.9.46) We have problems when we introduce a back-ldap proxy server between a delta-syncrepl server and a mirror configuration of two servers. The modifications through the replica server (with chaining configuration) over the first mirror server are made without problems. The problem appears when we introduce a back-ldap proxy between replica and the two servers in mirror mode. First Scenario: --------------------- A delta syncrepl server replicating from the first server of a mirror. IPs: delta syncrepl (192.168.1.5), mirror server 1 (192.168.1.10), mirror server 2 (192.168.1.20) replica slapd.conf ##################### # Chaining configuration # ##################### overlay chain chain-uri "ldap://mirror1:389" chain-idassert-bind bindmethod="simple" binddn="cn=replicator,dc=example,dc=com" credentials="secret" mode="self" chain-return-error TRUE ########## # Replica # ########## database bdb suffix "dc=example,dc=com" rootdn "cn=Administrator,dc=example,dc=com" rootpw "secret" checkpoint 1024 5 cachesize 10000 index objectClass,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres overlay ppolicy ppolicy_default "cn=Default Password Policy,dc=example,dc=com" ppolicy_forward_updates ppolicy_hash_cleartext overlay memberof ################## # Syncrepl directives # ################## syncrepl rid=001 provider=ldap://mirror1:389 type=refreshAndPersist retry="60 +" searchbase="dc=example,dc=com" filter="(objectclass=*)" scope=sub attrs="*" schemachecking=on binddn="cn=replicator,dc=example,dc=com" bindmethod=simple credentials=secret sizelimit=unlimited logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog # Refer updates to the master updateref ldap://mirror1:389 ------------------------- ------------------------- slapd.conf of mirror server #1 ------------------------------------------- # Global section serverID 1 moduleload memberof access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,userPKCS12 by self write by dn.base="cn=replicator,dc=example,dc=com" read by * auth access to attrs=shadowLastChange by self write by * read # Give the replica DN unlimited read access. This ACL needs to be # merged with other ACL statements, and/or moved within the scope # of a database. The "by * break" portion causes evaluation of # subsequent rules. See slapd.access(5) for details. access to * by dn.base="cn=replicator,dc=example,dc=com" read by * break access to * by * read # Load the accesslog overlay moduleload accesslog.la #Load the syncprov overlay moduleload syncprov.la # Accesslog database definitions database bdb monitoring off suffix cn=accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE # Let the replica DN have limitless searches limits dn.exact="cn=replicator,dc=example,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited ####################################################################### # BDB database definitions ####################################################################### database bdb monitoring off suffix "dc=example,dc=com" rootdn "cn=Administrator,dc=example,dc=com" rootpw "secret" checkpoint 1024 5 cachesize 10000 index objectClass,uidNumber,gidNumber eq index member,mail eq,pres
Date: Wed, 14 Apr 2010 21:19:35 +0200 (CEST) Subject: Re: (ITS#6518) Slapd-ldap proxy between replica and mirror From: masarati@aero.polimi.it To: udorta@iac.es Cc: openldap-its@openldap.org
> We have problems when we introduce a back-ldap proxy server between a > delta-syncrepl server and a mirror configuration of two servers. > > The modifications through the replica server (with chaining configuration) > over > the first mirror server are made without problems. The problem appears > when we > introduce a back-ldap proxy between replica and the two servers in mirror > mode. I've already fixed the bit of this issue related to not being able to process ordered attributes in proxies (ITS#6516). This is required to retrieve attributes authzFrom and authzTo, used by the proxy authorization process. The rest of your issue is related to the fact that the slave uses proxyAuthz to propagate the modify request to the updateref server. When this is a proxy, it needs to add proxyAuthz itself to correctly proxy the operation to the master. But two proxyAuthz controls are not allowed. You'd need to use distributed procedures, which are not implemented in OpenLDAP. A distributed operation would then consist in an extended operation that wraps the original one into a new request, with its own controls. At this point, proxyAuthz could apply incrementally at each layer. I'd treat your ITS as yet another request to implement distributed procedures. p.
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
