[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
identity assertion in back-ldap
It appears that one of the more basic modes of operation is now missing in
back-ldap: if a direct bind is performed, then subsequent operations using
that identity should not do any proxyAuthz/identity assertion at all. They
should just re-use the already bound connection. I expected that this was the
behavior for idassert mode=legacy but apparently that's not the case.
Trawling thru the old discussions (from May 2004) wasn't too enlightening. I
suspect there's a bug here, but I'm not sure which of the assert modes to fix.
Also, the slapd-ldap(5) manpage now says "Direct binds are always proxied" but
it's not clear what the significance of that statement is. I.e., yes,
back-ldap has always passed direct binds through straight to the remote
server. Since this sentence occurs within the description of mode=legacy, are
we to imply that this is now only true for legacy mode, and in other modes
direct Binds may be munged in some other way?
The function ldap_back_is_proxy_authz() behaves as if the latter were true -
it returns 1 even if the op is a Bind request. But in fact the Bind will
always be sent thru to the remote server. What happens next, though, depends
on these various settings. I.e., after the connection has bound successfully,
it might be marked as bound with that ID, and available for further use by
that ID, or it may get left marked as anonymous, to be re-used for future Bind
requests.
The code and the manpage are both pretty unclear on what settings should be
used to get this combination of behavior:
assert identity on any ID that was not authenticated by this backend
passthru anything that was authenticated by this backend
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/