[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Connections pool on backend-meta and backend-ldap

> Hi, I have a slapd 2.3.27 configuration proxying external directories
> via backend-meta, using directives 'pseudorootdn' and 'pseudorootpw'
> to authenticate against the external directories so I always connect
> to slapd with meta-backend's rootDN , and I'd want to use the
> connection pooling mechanism implemented on this backend, but I'm not
> sure about how to accomplish it.
> 'Description' section of slapd-ldap man page tells that "sessions that
> explicity bind to the back-ldap database always create their own
> private connection to the remote LDAP server" (as I have verified
> myself), and then it explains that "for sessions bound through other
> mechanisms all sessions with the same DN will share the same
> connection". What mechanisms is the text referring to?

It essentially means that if you connect to back-ldap using an auth
mechanism other than simple bind with a DN belonging to the back-ldap
database's naming context, operations on that connection will use a pooled
connection and will be anonymous.  If you want non-anonymous connections,
you need to use the idassert feature, so that the proxy binds to the
remote host with a given identity, and adds a proxyAuthz control to each
operation, which is performed using the pooled connection, authorizinmg as
the client's identity.

I don't remember what back-meta exactly does in current 2.3, since it's
been completely reworked in HEAD to reproduce this bhavior of back-ldap. 
Portions of that recoding already made into 2.3, and more will follow
shortly, but not yet in 2.3.28.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it