[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6518) Slapd-ldap proxy between replica and mirror

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6518) Slapd-ldap proxy between replica and mirror
From: masarati@aero.polimi.it
Date: Wed, 14 Apr 2010 19:20:07 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

> We have problems when we introduce a back-ldap proxy server between a
> delta-syncrepl server and a mirror configuration of two servers.
>
> The modifications through the replica server (with chaining configuration)
> over
> the first mirror server are made without problems. The problem appears
> when we
> introduce a back-ldap proxy between replica and the two servers in mirror
> mode.

I've already fixed the bit of this issue related to not being able to
process ordered attributes in proxies (ITS#6516).  This is required to
retrieve attributes authzFrom and authzTo, used by the proxy authorization
process.

The rest of your issue is related to the fact that the slave uses
proxyAuthz to propagate the modify request to the updateref server.  When
this is a proxy, it needs to add proxyAuthz itself to correctly proxy the
operation to the master.  But two proxyAuthz controls are not allowed.

You'd need to use distributed procedures, which are not implemented in
OpenLDAP.  A distributed operation would then consist in an extended
operation that wraps the original one into a new request, with its own
controls.  At this point, proxyAuthz could apply incrementally at each
layer.

I'd treat your ITS as yet another request to implement distributed
procedures.

p.

Prev by Date: Re: (ITS#6468) ACLs in subordinate databases can be ignored
Next by Date: (ITS#6523) idassert marks proxyAuthz as non-critical
Index(es):
- Chronological
- Thread