[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Referral -> insufficient access



At 11:37 AM 9/3/99 +0200, Frédéric Poels wrote:
>How comes it works (using the same OpenLDAP ldap* tools) with another
>directory server?
>I cannot manage to find a "-R" option to ldapadd (the one that comes with
>OpenLDAP 1.2.6).

My mistake.  The tools which do modification don't have -R as
this *should* be the default behavior (to not chase referrals).
It actually looks like they do not actually set don't chase.
IMO, that's a bug.

In fact, for ldapsearch w/ simple password, the default should
be off.  All commands should have a feature to enable chasing
with and without prompting.

  -R	disable referral chasing
  -C	enable referral chasing with prompting
  -CC	enable referral chasing without prompting

The default should depend upon the authentication mechanism
in use.

>
>Thanks for your help!
>
>Frederic.
>
>At 13:12 2/09/99 -0700, you wrote:
>>At 07:12 PM 9/2/99 +0200, Frédéric Poels wrote:
>>>I am running slapd 1.2.6 on two AIX machines, replicating from one to
>another.
>>>Replication works fine wrom Master to Slave. Changes applied to the Master
>>>are replicated to the slave. Changes applied to the slave return an
>>>"Insufficient access" error.
>>
>>Changes to the slave should be referred to the master.  The
>>client should automatically chase this referral.  However,
>>many clients (including OpenLDAP ldap* tools) do not support
>>rebind when simple bind is in use.  This is a security feature.
>>
>>As OpenLDAP 1.x only implements simple bind, all of the
>>provided clients do not rebind when chasing referrals.
>>
>>When using the command line tools which may modify the
>>directory, it's best to use the -R option and than manually
>>chase the referral by reissuing the command to the
>>appropriate server.
>>
>>You are, of course, welcome to hack up the clients to support
>>rebinding...  (I would welcome patches that implement rebind
>>in a manner that provided adequate transmission of credentials
>>to unintended server).
>>
>>Kurt
>>
>>
>
>