[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: proxycache with referral



Let me note that, apart from the bug you highlighted, if your purpose is
to require authenticated access to the remote server and cache the
searches  at the proxy, your design is intrinsically flawed, because the
cache has no knowledge of the identity it was gathered for, so, for
instance (just tested with test020) if the remote server allows only
"cn=Foo" to read data, and the proxy caches a search by "cn=Foo", a
subsequent search by "cn=Bar" is answered as well by the proxy thru the
cache, while it wouldn't be answered directly by the remote server, nor by
the proxy if the results were not already in the cache.

What you really need, to keep protecting the remote server from anonymous
binds, and being consistent in the returned results with the proxycache,
is to exploit the proxy identity assertion, based on proxyAuthz, that is
in HEAD code.

This means that the requests coming from a selected pool of identities are
proxied with the authorization identity of the proxy, so the same response
is returned regardless of the client's identity (provided it authenticates
and is allowed to perform the operation at the proxy side); you can
enforce additional access rules at the proxy side to select what different
identities can access from the cache.

See slapd-ldap(5) idassert-* directives and test028 for further information.

p.


> Hi:
>
> Version: 2.2.18
>
>     I build a server for LDAP proxy cache. My destination server does not
> allow anonymous binding. If I use LDAP backend only and do not set
> proxycache overlay, it's OK. But if I enable proxycache overlay, there is
> an
> error. After allowing anonymous binding, the error disappears.
>
>     The error 7 means Authentication method not supported because I do not
> allow anonymous binding.
>
> ldap_chase_referrals
> read1msg:  V2 referral chased, mark request completed, id = 1
> new result:  res_errno: 7, res_error: <>, res_matched: <>
> read1msg:  0 new referrals
> read1msg:  mark request completed, id = 1
> request 1 done
> res_errno: 7, res_error: <>, res_matched: <>
>
>     Does chasing referral need to allow anonymous binding? What's the
> different between using rebind-as-user and not using it in slapd.conf? The
> man page said that bind credentials are rememberd for rebind when chasing
> referrals. If I don't set this, will chasing referrals do anonymous
> binding?
> I have set it, but the error is the same. How do I solve this problem
> except
> allowing anmoymous binding?
>
>     Thanks.
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it's FREE!
> http://messenger.msn.com/
>
>


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497