Hi, I have a slapd 2.3.27 configuration proxying external directories via backend-meta, using directives 'pseudorootdn' and 'pseudorootpw' to authenticate against the external directories so I always connect to slapd with meta-backend's rootDN , and I'd want to use the connection pooling mechanism implemented on this backend, but I'm not sure about how to accomplish it.
'Description' section of slapd-ldap man page tells that "sessions that explicity bind to the back-ldap database always create their own private connection to the remote LDAP server" (as I have verified myself), and then it explains that "for sessions bound through other mechanisms all sessions with the same DN will share the same connection". What mechanisms is the text referring to?
It essentially means that if you connect to back-ldap using an auth mechanism other than simple bind with a DN belonging to the back-ldap database's naming context, operations on that connection will use a pooled connection and will be anonymous. If you want non-anonymous connections, you need to use the idassert feature, so that the proxy binds to the remote host with a given identity, and adds a proxyAuthz control to each operation, which is performed using the pooled connection, authorizinmg as the client's identity.
I don't remember what back-meta exactly does in current 2.3, since it's been completely reworked in HEAD to reproduce this bhavior of back-ldap. Portions of that recoding already made into 2.3, and more will follow shortly, but not yet in 2.3.28.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------