[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: chaining and proxy

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: chaining and proxy
From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
Date: Tue, 30 Sep 2008 10:21:50 +0200
Cc: openldap-software@openldap.org
In-reply-to: <48E1B7B2.3090902@sys-net.it>
References: <48E135F4.6060704@inria.fr> <48E1B7B2.3090902@sys-net.it>
User-agent: Thunderbird 2.0.0.17 (X11/20080929)

Pierangelo Masarati a écrit :

Guillaume Rousse wrote:
Hello.
I successfully setup the chain overlay, so as to push changes from a slave to a master, with something as: overlay chain chain-uri "ldap://ldap1.domain.tld"; chain-idassert-bind bindmethod="simple" binddn="cn=chain,ou=roles,dc=domain,dc=tld" credentials="s3cr3t" mode="self" chain-idassert-authzFrom "*" chain-tls start chain-return-error TRUE

I'm curious, tough, why the slave has to use a proxy identity to authenticate on the master, instead of reusing original query credentials. Is there something preventing it, or is just that all examples I found sofar were using it ?
First of all, in order to do that, slapd-ldap(5), which implements the chain capability, should know about the details of syncrepl. Second, the credentials used for syncrepl need to have broad *read* permissions, while slapo-chain(5) credentials must have broad *authz* permissions. One might want to use separate identities in order to craft their permissions appropriately. The fact that slapo-chain(5) is very useful in conjunction with sync replication is orthogonal to slapo-chain(5) design. In fact, it was not designed for this purpose.

I guess you're referring to syncrepl for multi-master replication scenarios, right ? In my case, I'm using slapo-chain to allow my user to change their password, whereas they only access the slave server. Meaning I only push user-triggered changes to the master. Sorry if I was not clear enough.

I was also curious to know if the slapauth tool was usable to test such kind of proxy setup. Reading the man page, it seems rather adapted to testing identity mapping through authz-regexp directives.
No. In fact, slapauth only tests authz-rgexp mapping, while what you want is something similar to authz-regexp but specific to slapd-ldap(5), and thus buried in its internals. Since it results in an RFC 4370 proxied authorization control, it could be interesting to have a companion of the RFC 4532 who am I? operation that tells how a DSA is going to authorize when chaining an operation, and what the who am I? operation returned after chaining. However, I believe this would only be useful for "maintenance" checking, as the whole purpose of slapo-chain(5) is to hide the fact that operations are not handled locally.

OK, thanks for the explanation.
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62

Follow-Ups:
- Re: chaining and proxy
  - From: Pierangelo Masarati <ando@sys-net.it>

References:
- chaining and proxy
  - From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
- Re: chaining and proxy
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: chaining and proxy
Next by Date: Re: chaining and proxy
Index(es):
- Chronological
- Thread