> Hello list, > > With the following scenario > > Client (A) <-----> back_ldap Proxy (B) <-----> syncrepl Slave (C) > <-----> Master (D) > > and B and C use a binddn that only has full read permissions on the > database, except for a couple of attributes, on which it has full write > permissions. Also, Each of the represented nodes can only "talk" to the > nodes to which there is a represented connection, so (A) and (B) cannot > chase a configured referral to (D). > > What would be the proper way to setup (B) and (C) so that (A) could push > updates for the couple of attributes into the master (D) node? > > At the Slave level, i've already setup chaining and making it use (D) as > updateref, but then any push on (B) would not propagate. I also noticed > that in although i used mode=self, in the chaining, i had to configure a > binddn which had full write permissions. Wouldn't it be sufficient to > have a full read enabled binddn or even no binddn at all since the bind > would then be made using the clients credentials?
This is not going to work, because using mode=self, idassert authc's as the proxy identity, and then proxyauthz's as the user's identity. As a consequence, when the slave tries to chain a modification, it finds the proxyauthz control already in use, and cannot assert the original identity. Distributed procedures (distproc, currently not implemented) would be needed to fit your needs. p.
