[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapo-chain



Hello

I have the following setup:

ldap0 is the LDAP master
ldap1 and ldap2 are replicas using syncrepl.

- Users can use simple authentication on the 3 servers. 
- ldap0 holds a bunch of ACL to handle modifications
- ldap1 and ldap2 have minimal ACL and are there just for reading
- Mutual authentication between master and replicas is done by TLS
certificates. 

Now I'd like the replicas to follow updatedn referrals on behalf of the
client. That way clients could ask ldap1 and ldap2 to perform
modifications, and that would just work. As I understand, this is done
through slapo-chain. 

The modification has to be done on behalf of the user that authenticated
on the replica (else my ACL will block). I don't want to give replicas
an universal write access to the master, because that will mean I'll
have to duplicate the ACL between the master and the replicas. For
performance and maintainability sake, I want to avoid that.

In an ideal world, I'd like replicas to connect to the master using
their certificates, and the master would trust the user identity, as it
was authenticated on the replica. Is there an example of how this should
be done?

I had a look to the test suite, and it does not help very much, as I'm
not familiar enough with the authz stuff to grasp enough of how it is
supposed to work.

I tried this on the replica, as global option:

overlay                 chain
chain-uri               ldaps://ldap0
chain-idassert-bind    bindmethod=sasl  
                                saslmech=EXTERNAL
                                mode=self

But the modification operation is done using the identity from the
replica TLS certificate (which fails) and not from the initial user.

Any hint? 

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org