[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Further development of chain overlay?

>> I have considered the possibility to make the chain overlay
>> also follow referrals as they are returned by a database.
>> This can be also useful for "dumb" clients that cannot chase
>> referrals by themselves; moreover, I'm about to allow chasing
>> of referrals with URI different from the underlying back-ldap
>> database, as well as multiple referral.
> I believe it is useful to handle multiple referrals and such, but I
> think a requirement here is that the underlying back-ldap have some
> knowledge of the destination. The chaining concept really applies to
> explicitly cooperating DSAs. The assumption is that all the DSAs that
> will be referenced are all associated in two ways:
>   1) they are part of the same overall DIB
>   2) they are all under the same administrative control
> The approach here should be to allow multiple back-ldap destinations to
> be configured and select the right one based on the referral URI. In
> particular, you must be able to provide an admin DN and credentials for
> each destination server, in order for a lot of the other things to work.

I see your point; in this case, a good idea could be to provide
a set of acceptable URIs, with administrative user to provide
authorization proxying.  Non-trusted referrals could be chased

>> I have a problem about how proxyAuthz control is propagated:
>> apparently binds are propagated anonymously; then operations
>> also occur anonymously, but if the original operation was
>> authenticated, the referred server correctly refuses to allow
>> non-authd proxyAuthz.  Clues?
> I haven't really looked at how the proxyAuthz stuff is put together. But
> it seems that what is supposed to happen is that the admin DN is used to
> open a session, and that session should be used by any proxyAuthz'd
> requests.

What's happening, apparently, is that the session is opened anonymously.
I'll look at it a bit more.

Another issue I noted, by playing with this stuff, is that when back-ldap
is used to proxy a server that contains referrals, they are returned as
serach references AND chased.  Maybe we should make referral chasing
optional, and, if selected, simply drop the search references.


Pierangelo Masarati