RE: Lunch for the answer: Referral ACL question

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Steve Sullivan

> We're setting up a distributed OpenLDAP service, with a "local"
> root server and a "remote" server for a subtree, but I'm having
> trouble with the ACLs.
>
> I present ldapsearch -C queries to the local server, and for
> entries held
> in the remote subtree ldapsearch successfully follows the referral.
> It all works fine when both local and remote ACLs have:
>     access to * by * read
>
> But if I use something more reasonable, like:
>     access to *
>         by users read
>         by anonymous auth
>
> then the ldapsearch fails (no error msg, just no results).

> Looking at the debug log on the remote server, it appears that
> when I issue ldapsearch -C to the local server, when ldapsearch
> follows the referral it isn't presenting any credentials
> to the remote server ...

That's the way the command line tools work, they always chase referrals
anonymously. It's a security risk to send your password to an unknown server,
and the tools have no way of knowing the difference between a "trusted" and
"untrusted" server.

When you're setting up a cooperative distributed service, back-ldap is a
better solution than using referrals.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support