[Replying to both messages]
Emmanuel Dreyfus wrote:
On Fri, Feb 19, 2010 at 07:53:09AM +0100, Emmanuel Dreyfus wrote:
A simple solution in the single master situation is to redirect any SASL
OTP bind to the master. As far as I understand, we have no way of
configuring this right now, it needs at add some code, right?
Perhaps slapo-rwm can do that? Is there a way of matching OTP
binds?
I'm afraid slapo-rwm can't do anything like that, since it is not
involved in SASL binds (not even in rewriting identities).
To go back to your initial statement, redirecting SASL OTP binds to the
master may sound simple, but the question is: is it acceptable? I mean:
isn't it defeating the purpose of using replicas in the first place?
Going a bit technical, we need to let SASL bind know that some mechs may
need to behave differently. But redirecting SASL binds to the master
means playing man-in-the-middle, we'd rather need to have distributed
SASL binds. Not familiar enough with SASL's internals to debate. As
far as I understand, auxprops is the intended method to implement
distributed SASL info storage and thus (try to) support distributed SASL
bind. However, this means that not only slap_auxprop_store() needs to:
- understand it's acting on behalf of a shadow database
- redirect writes to the master
but also
- wait for replication to complete
before authentication can continue.
A totally different approach would be to have auxprop handling,
including reads, redirected to the master. In this latter case, auxprop
info (at least for specific SASL mechs) shouldn't be replicated at all.
p.