[Date Prev][Date Next] [Chronological] [Thread] [Top]

proxy authorization



Given that we have a proxyAuthz control now, which can cause particular
operations on a session to be performed on behalf of another user, there's a
bit of a gap in the feature set. Binds need to be proxiable too - given a
scenario with a privileged user connected to slapd, performing ops on behalf
of other users, we still need a way to verify the identify of a requestor.
Currently we do a Bind for this purpose, but that Bind has to be done over a
separate connection because if it fails the connection will be left
Anonymous, and if it succeeds the connection will be left as the Bound user.
In a proxy server, we want the connection to be left as the privileged user
regardless of Bind outcome.

This seems like either the proxyAuthz control or perhaps the Noop control
should be used. The Noop seems to best represent the desired functionality,
while using the proxyAuthz control for this purpose seems cleaner from a
conceptual level, i.e., proxyAuthz is used for all proxy-related
operations...

Thoughts?

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support