[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: direct local change when a consumer chains a write to the producer? (Was: openldap-server-2.2.29: multimaster support)



At 01:00 AM 11/28/2005, Howard Chu wrote:
>At any rate, I don't believe the single proxyAuthz control is appropriate for both proxying and chaining purposes. 

In X.518, one of the ChainingArguments is the Originator of the
request, the DN of the user as known by the chaining DSA.
Though I'd have to ask Jim to be sure, he might have intended
use of the proxyAuthz control (attached to the ChainedRequest
(which might be better called the ChainRequest or ChainingRequest
to avoid some confusion) wrapper (not the OperationRequest itself)
to specify the Originator.

So one could have:

        chainedRequest request={
                modifyRequest ... proxyAuthz=X
        } proxyAuthz=Y.

To mean user Y requested to modify an entry as X.

Problem with this is that what if the DSA wants to
authenticate as A but chain as B, it cannot as
the semantics of the proxyAuthz are overloaded
when attached to the chainedRequest.

So, the former should be:
        chainedRequest originator=Y request={
                modifyRequest ... proxyAuthz=X
        }

and if the DSA wants to chain as B:
        chainedRequest originator=Y request={
                modifyRequest ... proxyAuthz=X
        } proxyAuthz=B

Kurt