[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: direct local change when a consumer chains a write to the producer? (Was: openldap-server-2.2.29: multimaster support)

> At 01:00 AM 11/28/2005, Howard Chu wrote:
>>At any rate, I don't believe the single proxyAuthz control is appropriate
>> for both proxying and chaining purposes.
> In X.518, one of the ChainingArguments is the Originator of the
> request, the DN of the user as known by the chaining DSA.
> Though I'd have to ask Jim to be sure, he might have intended
> use of the proxyAuthz control (attached to the ChainedRequest
> (which might be better called the ChainRequest or ChainingRequest
> to avoid some confusion) wrapper (not the OperationRequest itself)
> to specify the Originator.
> So one could have:
>         chainedRequest request={
>                 modifyRequest ... proxyAuthz=X
>         } proxyAuthz=Y.
> To mean user Y requested to modify an entry as X.
> Problem with this is that what if the DSA wants to
> authenticate as A but chain as B, it cannot as
> the semantics of the proxyAuthz are overloaded
> when attached to the chainedRequest.
> So, the former should be:
>         chainedRequest originator=Y request={
>                 modifyRequest ... proxyAuthz=X
>         }
> and if the DSA wants to chain as B:
>         chainedRequest originator=Y request={
>                 modifyRequest ... proxyAuthz=X
>         } proxyAuthz=B

The latter sounds not too far from my (naive) idea of layering controls
(at least those that determine a change in the "environment" of the
operation (like the identity the operation is being performed as).

As far as naming and so is concerned, I have questions that I want to ask
on the ldapext list, but first I need to better understand that draft, and
prottype some coding.  I note, by the way, that unless I'm missing
anything trivial, the argument [1] of the ContinuationReference is

      ContinuationReference ::= SET {
         referralURI      [0] SET SIZE (1..MAX) OF URI,
         localReference   [2] LDAPDN,

I suspect that might be the "originator"'s name.


Pierangelo Masarati

Ing. Pierangelo Masarati
Responsabile Open Solution

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it