[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Meta Idassert-bind



Thankyou, I shall raise a bug report for you.

Drew

Andrew Graham
ICT
AgustaWestland UK
Tel No: +44 (0) 1935 70 4421
andrew.graham@agustawestland.com

>>> Pierangelo Masarati <ando@sys-net.it> 31/07/2008 19:42:07 >>>

----- "Andrew Graham" <andrew.graham@agustawestland.com> wrote:

> ***  Before acting on this email or opening any attachment you are
> advised to read the disclaimer at the end of this email ***
> 
> I've re-read my original message and it didn't make alot of sense.
So
> here's take two!
> 
> I'm using back-meta to attempt to amalgamate several ldap servers
> into
> one single tree. This should cater for users that exist only in a
> local
> BDB database, and also for users with accounts in one of the target
> ldap
> servers. If I say 'local' or 'remote' user at any point, I'm
> referring
> to users stored in the local bdb database or a remote ldap server
> respectively. I shall refer to the local openldap server as the
proxy
> server.
> 
> The meta database is subordinate to the local database. This allows
> me
> to have a base record for the entire directory.
> 
> Everything works perfectly for targets that don't require a bind
> before
> searching. For targets that do require a successful bind, I've been
> trying to use the 'idassert-bind' feature with mixed results. The
> following is a description of the behaviour I am trying to achieve:
> 
> If a local user binds to the proxy server, and performs a query with
> one or more targets in scope, then the proxy server should use
> predefined credentials to bind to and search only the targets in
> scope
> on behalf of the local user.
> 
> If a remote user binds to the proxy server, and performs a query
> affecting only the target where that user is stored, then the proxy
> server should bind to that target using the credentials supplied by
> the
> remote user. If there are any other targets in the scope of the
> query,
> openldap should not attempt to use the predefined credentials to
bind
> to
> and search on that target.
> 
> To try to achieve this, I have placed all local users in their own
> branch of the tree, and set the 'idassert-authzFrom' for each target
> to
> match this branch only, thus preventing remote users from using the
> idassert feauture and barring them from querying other targets than
> their own. 
> 
> Here is the first of two 'interesting' results. If I bind to the
> proxy
> server as a remote user with multiple targets in scope, the bind is
> proxied to the remote user's target correctly. The proxy then
> proceeds
> to attempt to bind to the other targets in scope using seemingly
> random
> names. Some examples (captured with wireshark) are '\270+1\b',
> '\250\202/\b\005', '\220\241\322\267\220\241\322\267\020' and
> 'x\267.\b'. The name changes every time, but each time no password
is
> provided. The proxy will not attempt to search any of the targets
> after
> binding, even the target to which the user belongs.
> 
> I'm not sure I understand the purpose of the 'non-prescriptive'
flag,
> but if I set it on each target (as Pierangelo suggested previously),
> the
> unusual behaviour changes. When binding with a remote user, the
proxy
> will correctly bind to the target to which the remote user belongs
> using
> the remote users credentials. If another target is in scope, the
> proxy
> will attempt to bind to it without name or password. The proxy will
> proceed to search the targets. This is fine for my situation, but I
> would like to understand why this happens?
> 
> The second problem I'm having is with the local users. If the
> 'network-timeout' statement is used in the meta database definition,
> whenever a local user binds to the proxy and queries one or more of
> the
> target servers, the proxy will attempt to bind to the targets with
> the
> predefined name but with no password. If network-timeout is not
> specified, the proxy binds with both the predefined name and
password
> to
> every target in scope. Is this behaviour intended or a bug? 

I think your explanation is clear enough, provided some of the
behaviours you describe are quite unexpected.  There seems to be quite a
few bugs in this feature.  Unfortunately, I won't be able to work at it
in the next few days, you'll need to wait at least until the end of next
week.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it 
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it 
-----------------------------------


*** Disclaimer ***
The information contained in this E-Mail and any subsequent correspondence may be subject to the Export Control Act (ECA) 2002. The content is private and is intended solely for the recipient(s). 
For those other than the recipient any disclosure, copying, distribution, or action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful.

If received in error please return to sender immediately.

Under the laws of England misuse of information that is subject to the ECA 2002, is a criminal offence.

Westland Helicopters Ltd 
Lysander Road 
Yeovil BA20 2YB 
England 

Registered in England under No 604352