[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Connections pool on backend-meta and backend-ldap
> Hi, I have a slapd 2.3.27 configuration proxying external directories
> via backend-meta, using directives 'pseudorootdn' and 'pseudorootpw'
> to authenticate against the external directories so I always connect
> to slapd with meta-backend's rootDN , and I'd want to use the
> connection pooling mechanism implemented on this backend, but I'm not
> sure about how to accomplish it.
>
> 'Description' section of slapd-ldap man page tells that "sessions that
> explicity bind to the back-ldap database always create their own
> private connection to the remote LDAP server" (as I have verified
> myself), and then it explains that "for sessions bound through other
> mechanisms all sessions with the same DN will share the same
> connection". What mechanisms is the text referring to?
It essentially means that if you connect to back-ldap using an auth
mechanism other than simple bind with a DN belonging to the back-ldap
database's naming context, operations on that connection will use a pooled
connection and will be anonymous. If you want non-anonymous connections,
you need to use the idassert feature, so that the proxy binds to the
remote host with a given identity, and adds a proxyAuthz control to each
operation, which is performed using the pooled connection, authorizinmg as
the client's identity.
I don't remember what back-meta exactly does in current 2.3, since it's
been completely reworked in HEAD to reproduce this bhavior of back-ldap.
Portions of that recoding already made into 2.3, and more will follow
shortly, but not yet in 2.3.28.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------