[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: proxycache with referral

The above analysis works only if the identity contacting the proxy does
not authenticate on the remote server; in case it does, current identity
assertion (idassert) is bypassed and a direct bind is performed with the
client's identity.  As such, we're stuck with the initial problem of
(mis)caching results obtained with the client's identity.  I'm working at
this.

p.


> Let me note that, apart from the bug you highlighted, if your purpose is
> to require authenticated access to the remote server and cache the
> searches  at the proxy, your design is intrinsically flawed, because the
> cache has no knowledge of the identity it was gathered for, so, for
> instance (just tested with test020) if the remote server allows only
> "cn=Foo" to read data, and the proxy caches a search by "cn=Foo", a
> subsequent search by "cn=Bar" is answered as well by the proxy thru the
> cache, while it wouldn't be answered directly by the remote server, nor by
> the proxy if the results were not already in the cache.
>
> What you really need, to keep protecting the remote server from anonymous
> binds, and being consistent in the returned results with the proxycache,
> is to exploit the proxy identity assertion, based on proxyAuthz, that is
> in HEAD code.
>
> This means that the requests coming from a selected pool of identities are
> proxied with the authorization identity of the proxy, so the same response
> is returned regardless of the client's identity (provided it authenticates
> and is allowed to perform the operation at the proxy side); you can
> enforce additional access rules at the proxy side to select what different
> identities can access from the cache.
>
> See slapd-ldap(5) idassert-* directives and test028 for further
> information.
>
> p.
>
>
>> Hi:
>>
>> Version: 2.2.18
>>
>>     I build a server for LDAP proxy cache. My destination server does
>> not
>> allow anonymous binding. If I use LDAP backend only and do not set
>> proxycache overlay, it's OK. But if I enable proxycache overlay, there
>> is
>> an
>> error. After allowing anonymous binding, the error disappears.
>>
>>     The error 7 means Authentication method not supported because I do
>> not
>> allow anonymous binding.
>>
>> ldap_chase_referrals
>> read1msg:  V2 referral chased, mark request completed, id = 1
>> new result:  res_errno: 7, res_error: <>, res_matched: <>
>> read1msg:  0 new referrals
>> read1msg:  mark request completed, id = 1
>> request 1 done
>> res_errno: 7, res_error: <>, res_matched: <>
>>
>>     Does chasing referral need to allow anonymous binding? What's the
>> different between using rebind-as-user and not using it in slapd.conf?
>> The
>> man page said that bind credentials are rememberd for rebind when
>> chasing
>> referrals. If I don't set this, will chasing referrals do anonymous
>> binding?
>> I have set it, but the error is the same. How do I solve this problem
>> except
>> allowing anmoymous binding?
>>
>>     Thanks.
>>
>> _________________________________________________________________
>> Express yourself instantly with MSN Messenger! Download today it's FREE!
>> http://messenger.msn.com/
>>
>>
>
>
> --
> Pierangelo Masarati
> mailto:pierangelo.masarati@sys-net.it
>
>
>     SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
>
>


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497