Torsten Schlabach (Tascel eG) wrote:
Hi!
It works this way:
[...]
Ok. But in the very case, it's actually not the client who would want to read the authzTo attribute, but Server B. Server B tries to decide if a specific user who authenticated is allowed to assume the authorization of a different user. For that reason, Server B tries to read the authzTo attribute of the user object. That user object lives on Server A and does not have an authzTo attribute but only a saslAuthzTo attribute, due to the fact that the name of that internal attribute changed between 2.2 and 2.3.
We can see Server B querying Server a for the authzTo attribute. So that part is fine.
That's not fine: the mapping from authzTo to saslAuthzTo should have occurred before the request goes from server B to server A. The "internal search" means that server B tries to get an entry's authzTo attribute, and that entry happens to reside in server A through the proxy database, so server B tries to access what believes is a local database, but it's rather a proxy, and the internal request is treated by the proxy like any other request and is mapped accordingly.
From the log files I can see there is something like "internal search". Would an overlay and a rwn-map apply to such an internal search as well?
I can imagine a few scenarios where this type of request can happen. Can you specify yours, to speed up debugging? What I need is a minimal setup of both servers, complete of slapd.conf and any required LDIF, plus information about the operation that should trigger the internal search. Please make sure you strip any sensitive data, and keep it to a minimal size.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------