[Date Prev][Date Next]
Re: Meta Idassert-bind
----- "Andrew Graham" <email@example.com> wrote:
> *** Before acting on this email or opening any attachment you are
> advised to read the disclaimer at the end of this email ***
> I've re-read my original message and it didn't make alot of sense. So
> here's take two!
> I'm using back-meta to attempt to amalgamate several ldap servers
> one single tree. This should cater for users that exist only in a
> BDB database, and also for users with accounts in one of the target
> servers. If I say 'local' or 'remote' user at any point, I'm
> to users stored in the local bdb database or a remote ldap server
> respectively. I shall refer to the local openldap server as the proxy
> The meta database is subordinate to the local database. This allows
> to have a base record for the entire directory.
> Everything works perfectly for targets that don't require a bind
> searching. For targets that do require a successful bind, I've been
> trying to use the 'idassert-bind' feature with mixed results. The
> following is a description of the behaviour I am trying to achieve:
> If a local user binds to the proxy server, and performs a query with
> one or more targets in scope, then the proxy server should use
> predefined credentials to bind to and search only the targets in
> on behalf of the local user.
> If a remote user binds to the proxy server, and performs a query
> affecting only the target where that user is stored, then the proxy
> server should bind to that target using the credentials supplied by
> remote user. If there are any other targets in the scope of the
> openldap should not attempt to use the predefined credentials to bind
> and search on that target.
> To try to achieve this, I have placed all local users in their own
> branch of the tree, and set the 'idassert-authzFrom' for each target
> match this branch only, thus preventing remote users from using the
> idassert feauture and barring them from querying other targets than
> their own.
> Here is the first of two 'interesting' results. If I bind to the
> server as a remote user with multiple targets in scope, the bind is
> proxied to the remote user's target correctly. The proxy then
> to attempt to bind to the other targets in scope using seemingly
> names. Some examples (captured with wireshark) are '\270+1\b',
> '\250\202/\b\005', '\220\241\322\267\220\241\322\267\020' and
> 'x\267.\b'. The name changes every time, but each time no password is
> provided. The proxy will not attempt to search any of the targets
> binding, even the target to which the user belongs.
> I'm not sure I understand the purpose of the 'non-prescriptive' flag,
> but if I set it on each target (as Pierangelo suggested previously),
> unusual behaviour changes. When binding with a remote user, the proxy
> will correctly bind to the target to which the remote user belongs
> the remote users credentials. If another target is in scope, the
> will attempt to bind to it without name or password. The proxy will
> proceed to search the targets. This is fine for my situation, but I
> would like to understand why this happens?
> The second problem I'm having is with the local users. If the
> 'network-timeout' statement is used in the meta database definition,
> whenever a local user binds to the proxy and queries one or more of
> target servers, the proxy will attempt to bind to the targets with
> predefined name but with no password. If network-timeout is not
> specified, the proxy binds with both the predefined name and password
> every target in scope. Is this behaviour intended or a bug?
I think your explanation is clear enough, provided some of the behaviours you describe are quite unexpected. There seems to be quite a few bugs in this feature. Unfortunately, I won't be able to work at it in the next few days, you'll need to wait at least until the end of next week.
Ing. Pierangelo Masarati
OpenLDAP Core Team
via Dossi, 8 - 27100 Pavia - ITALIA
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497