Re: bind & backends

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 02:01 AM 2/28/2005, Howard Chu wrote:
>reinhard.e.voglmaier@gsk.com wrote:
>
>
>>Playing with the backend I've seen that not all binds arrive at the backend at all.
>>Anonymous binds for example do not.
>>Only binds with user/pass arrive.
>
>Correct.
>
>>My question now is:
>>I understand that it may not necessary to forward to the backend an anonymous bind. when further requests arrive the backend can try to understand if the connection has been authenticated or not ( anonymous bind )
>>what I need to understand is how does the backend understand if the frontend authenticated already the reqeust ? In the case of the administrator account which is hardwired in the config file for example the frontend can authenticate the access, so does it ? As far as I see the backend does not have the possibility to do so, unless it does not read the slapd.conf file. Something I do not see ????
>
>Currently the backend must authenticate the rootdn.

Actually, no.  The rootdn may be authenticated by other means
(SASL, or by another backend).  However, rootpw, if provided for
the rootdn, must be authenticated by that backend.

>This step probably should migrate to the frontend. Anyway, back-bdb/bind.c is a good example. Note the call to be_isroot_pw().

This is authentication of the rootpw.  rootpw is, of course, optional.
That is, the rootdn could be authenticated by means other than checking
a rootpw (such as SASL).

>The identity associated with a request is carried around in op->o_ndn. If the value is empty, the operation is anonymous. Otherwise it carries the authorization ID for the request.