[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: proxyAuth for bind (Was: Can I bind to server with DN not on server ?)

At 01:08 AM 11/30/2003, Howard Chu wrote:
>> -----Original Message-----
>> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
>> One of the problems using the proxyAuthz control in chaining
>> (between servers) is that it interferes with clients own use
>> of the control between the client and the directory.
>> In hallway discussions at IETF#58, we concluded that LDAP
>> really needs to have a "chaining" operation which would wrap
>> the client request when it was chained to another server (much
>> like in X.500).  This would provide a clear separation between
>> client's desires and chaining server's desires.
>Sounds like time to dust off a copy of X.518 and read thru the Distributed
>Authentication model... It seems a "ChainingArguments" control to accompany
>any other operation would be more appropriate than a new operation.

Well, there are a number of reasons why using a wrapper adds
value.  First, it doesn't require the chaining server to rewrite
the operation.  The chaining server just wraps it.  Otherwise,
the server has to recode it (to ensure the message id is unique,
add the ChainingArguments control, etc.).  Second, a wrapped
operation protects the chaining session from inter-operation
semantics of the wrapped operation.  That is, if an unwrapped
bind operation fails, the session MUST return to anonymous.
However, if a wrapped bind operation, the outer session can
be left in same association.  Third, result handling is more
clear.  The chained server can return information independently
to the client and to the chaining server.

The main drawback to chaining operation is that some servers won't
support it.  Hence, there are cases where a chaining server might
want to attempt to use unwrapped operations.