Hello list,
With the following scenario
Client (A) <-----> back_ldap Proxy (B) <-----> syncrepl Slave (C) <-----> Master (D)
and B and C use a binddn that only has full read permissions on the database, except for a couple of attributes, on which it has full write permissions. Also, Each of the represented nodes can only "talk" to the nodes to which there is a represented connection, so (A) and (B) cannot chase a configured referral to (D).
What would be the proper way to setup (B) and (C) so that (A) could push updates for the couple of attributes into the master (D) node?
At the Slave level, i've already setup chaining and making it use (D) as updateref, but then any push on (B) would not propagate. I also noticed that in although i used mode=self, in the chaining, i had to configure a binddn which had full write permissions. Wouldn't it be sufficient to have a full read enabled binddn or even no binddn at all since the bind would then be made using the clients credentials?
This is not going to work, because using mode=self, idassert authc's as the proxy identity, and then proxyauthz's as the user's identity. As a consequence, when the slave tries to chain a modification, it finds the proxyauthz control already in use, and cannot assert the original identity.
Distributed procedures (distproc, currently not implemented) would be needed to fit your needs.
p.