[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: chaining through proxy and slave

> Hello list,
> With the following scenario
> Client (A) <-----> back_ldap Proxy (B) <-----> syncrepl Slave (C)
> <-----> Master (D)
> and B and C use a binddn that only has full read permissions on the
> database, except for a couple of attributes, on which it has full write
> permissions. Also, Each of the represented nodes can only "talk" to the
> nodes to which there is a represented connection, so (A) and (B) cannot
> chase a configured referral to (D).
> What would be the proper way to setup (B) and (C) so that (A) could push
> updates for the couple of attributes into the master (D) node?
> At the Slave level, i've already setup chaining and making it use (D) as
> updateref, but then any push on (B)  would not propagate. I also noticed
> that in although i used mode=self, in the chaining, i had to configure a
> binddn which had full write permissions. Wouldn't it be sufficient to
> have a full read enabled binddn or even no binddn at all since the bind
> would then be made using the clients credentials?

This is not going to work, because using mode=self, idassert authc's as
the proxy identity, and then proxyauthz's as the user's identity.  As a
consequence, when the slave tries to chain a modification, it finds the
proxyauthz control already in use, and cannot assert the original

Distributed procedures (distproc, currently not implemented) would be
needed to fit your needs.