[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL OTP and syncrepl

To: masarati@aero.polimi.it (Pierangelo Masarati)
Subject: Re: SASL OTP and syncrepl
From: manu@netbsd.org (Emmanuel Dreyfus)
Date: Sat, 5 Dec 2009 11:00:10 +0100
Cc: openldap-software@openldap.org
In-reply-to: <4B17780D.2000701@aero.polimi.it>
User-agent: MacSOUP/2.7 (unregistered for 1050 days)

Pierangelo Masarati <masarati@aero.polimi.it> wrote:

> Not necessarily.  Every write to a well-configured replica should be 
> rejected with a referral.  The chain overlay will intercept the referral
> and chase it, applying the modification to the master.  You need to 
> check why no referral is returned, since the master's value eventually
> overrides the replica's.  Either the configuration uses an identity that
> bypasses shadow checks (like the updatedn) or some SASL-related code 
> (slap_auxprop_store?) is performing an internal modification with some
> special flag that bypasses shadow checks.  

I beleive the offending code is in
servers/slapd/sasl.h:slap_auxprop_store()

It seems we use the authc Id:
        slap_propnames[SLAP_SASL_PROP_AUTHC]

But there is no special flags:
        mod->sml_flags = 0;

Nothing in the logs on the master. On the client I have this at bind
time:
 SASL [conn=219246] Error: SASL error opening password file. Do you have
write permissions?  
 SASL [conn=219246] Failure: Could not open db for write 

But it  happens all the time, OTP being used or not.
 
-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

Follow-Ups:
- Re: SASL OTP and syncrepl
  - From: masarati@aero.polimi.it

References:
- Re: SASL OTP and syncrepl
  - From: Pierangelo Masarati <masarati@aero.polimi.it>

Prev by Date: Re: ldap proxy resolution by rewriting in meta-backend
Next by Date: Re: back-sock and Proxy Authz or SASL Authz-Name
Index(es):
- Chronological
- Thread