Bind Requests in a Distributed Environment

CA Directory lets you define how much each DSA should trust another. By default, security is tight. The settings let you selectively relax security between DSAs.
cad125
CA Directory lets you define how much each DSA should trust another. By default, security is tight. The settings let you selectively relax security between DSAs.
In a distributed network of DSAs, users can bind to one DSA when their entries are held on a second DSA. When the initial bind is made, the DSA can forward the password compare check to a second DSA if certain authentication parameters are set.
To allow users to bind to a local DSA when their details are held on a remote DSA, set
allow check password
to
true
. This is set to
true
by default.
When a bind is requested, the local DSA forwards a Password Compare request to the remote DSA. If this returns a Compare Confirm with the assertion
true
, the local DSA returns a Bind Confirm message to the user.
A request can include a
chaining-prohibited
control. CA Directory ignores this control.
Example Forward a Password Check to Another DSA
In this example, the router DSA contains no entries. This means that the router DSA must delegate checks of user credentials to another DSA.
The Customers DSA contains the entries for the customers, including the credentials required during binds. The
Allow check password
setting for the Customers DSA is
true
.
The following diagram shows how the router DSA delegates a password check to the Customers DSA:
How the router DSA delegates a password check to the Customers DSA
How the router DSA delegates a password check to the Customers DSA
  1. The router DSA receives a bind request from a user whose credentials are stored in the Customers DSA. The router DSA cannot check the user's credentials, but it knows that the Customers DSA can.
  2. The router DSA checks the configuration of the Customers DSA to see whether it can trust the Customers DSA to authenticate a user. The
    Allow check password
    setting indicates that this is permissible.
  3. The router DSA requests the Customers DSA to authenticate the user.
  4. The Customers DSA responds with the user's authentication.
  5. The router DSA returns the bind confirmation to the client.
Change the
Allow check password
Setting
The
Allow check password
setting allows a DSA to delegate the password check to another DSA. This action is achieved by setting 
trust-flags = allow-check-password
 in the knowledge file for the DSA, where the users being authenticated are stored.
For example, when binding to a router DSA where the bind DN specifies an entry that resides in a data DSA, the data DSA requires the 
allow-check-password
 setting to be enabled. Otherwise, the router does not forward the password compare and refuses the bind attempt with 
invalidCredentials
.
When running tracing at the assoc level on the router, the following diagnostic indicates that this item must be set: 
remoteCheckNextSimilar: Needs allow-check-password