[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Chain Overlay and SASL Proxy Auth with Multiple Referrals.

To: masarati@aero.polimi.it
Subject: Re: Chain Overlay and SASL Proxy Auth with Multiple Referrals.
From: Tim Stewart <tim@stoo.org>
Date: Mon, 2 Nov 2009 14:32:32 -0500
Cc: OpenLDAP Software <openldap-software@openldap.org>
In-reply-to: <48051.93.149.38.222.1256926517.squirrel@www.aero.polimi.it>
References: <867F2141-A693-4D72-B7F7-1E28FAFF4B89@stoo.org> <48051.93.149.38.222.1256926517.squirrel@www.aero.polimi.it>

Hello,

On Oct 30, 2009, at 2:15 PM, masarati@aero.polimi.it wrote:

You hit a limitation of chaining as it is implemented today:chaining ofchained operations (namely, using idassert with proxiedauthorization, aswhen mode=self) is explicitly disallowed, as back-ldap refuses toadd aninstance of the proxied authorization control when one is alreadypresent.
This is the case of chained requests.  This limitation would be
eliminated by the implementation of distributed procedures,currently a
work in progress (stalled, I believe).

OK, thanks, this is the sort of input I was looking for. I won'twaste any more time trying to get it to work.

Let me add that I find your setup a little bit nonsensical: if youhaveshadow databases that are exact replicas of the producer, then eachshadow
should be able to answer read requests.  As a consequence, there is no
need to chain a shadow to another shadow. As a consequence, youshould
rather chain all shadow servers to the producer.

Each shadow can (and will) answer read requests; I am concerned withwrites. The configuration is actually more complex than I described.I simplified the overall layout to be as simple as necessary to ask myquestion.

I have 5 sites, each with a writable copy of the data usually used forthat site (in its own OU), and a read-only version of all the othersites' data. All replication goes through a central hub to simplifyconfiguration. This way, I only have to modify the configuration ofthe central hub and a single site's server when a new site comesonline, and all the other servers automatically get the new data.

The purpose of this layout is that each site should functionindependently if cut off from the other sites (which does happen) andwill still have read-only access to the other sites' data, which isalso necessary for normal operation.

Everything is working well with respect to replication. I was hopingto add the chain overlay as a convenience but I don't mind dropping it.


Thanks for the assistance,

--
-TimS

Tim Stewart
Stoo Research
tim@stoo.org

Prev by Date: cannot allocate 0 byte
Next by Date: Re: Chain Overlay and SASL Proxy Auth with Multiple Referrals.
Index(es):
- Chronological
- Thread