[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication in referrals

> Hi All.
> I have a replica of one branch from one LDAP to another in a
> master-client agreement. The replica works fine, but now I'm trying to
> make a referral from the client to the master. The proposal is that when
>  somebody tries to write his own entry in the client, the referral goes
> to the master and then updates the entry there.
> The referral is created automatically when I do the replica, but when I
> try to write in the consumer, the update in the master comes as anonym
> user and I have the ACI configured to don't allow to write this user.
> How could I validate as another user in the referral URL? Or how can I
> get an ACI that allows to write to anonym referrals but not to anonym
> users? Any idea?

1) your client could use ldap_set_rebind_proc() to rebind when chasing
referrals, if you have access to the code;

2) as a workaround, you could hide your replica behind a back-ldap,
because it can handle this on behalf of your client, if you're using
simple bind: create a proxy server with a back-ldap instance and add the
"rebind-as-user" directive; see slapd-ldap(5) for further details.  Then
your client must access the proxy instead of the real replica.

The latter is an overkill, but I don't see any other chance.  Of course,
you could also hack slapd to automatically chase referrals in case of
updating a slave...


Pierangelo Masarati