[Date Prev][Date Next]
Re: Referral -> insufficient access
At 11:37 AM 9/3/99 +0200, Frédéric Poels wrote:
>How comes it works (using the same OpenLDAP ldap* tools) with another
>I cannot manage to find a "-R" option to ldapadd (the one that comes with
My mistake. The tools which do modification don't have -R as
this *should* be the default behavior (to not chase referrals).
It actually looks like they do not actually set don't chase.
IMO, that's a bug.
In fact, for ldapsearch w/ simple password, the default should
be off. All commands should have a feature to enable chasing
with and without prompting.
-R disable referral chasing
-C enable referral chasing with prompting
-CC enable referral chasing without prompting
The default should depend upon the authentication mechanism
>Thanks for your help!
>At 13:12 2/09/99 -0700, you wrote:
>>At 07:12 PM 9/2/99 +0200, Frédéric Poels wrote:
>>>I am running slapd 1.2.6 on two AIX machines, replicating from one to
>>>Replication works fine wrom Master to Slave. Changes applied to the Master
>>>are replicated to the slave. Changes applied to the slave return an
>>>"Insufficient access" error.
>>Changes to the slave should be referred to the master. The
>>client should automatically chase this referral. However,
>>many clients (including OpenLDAP ldap* tools) do not support
>>rebind when simple bind is in use. This is a security feature.
>>As OpenLDAP 1.x only implements simple bind, all of the
>>provided clients do not rebind when chasing referrals.
>>When using the command line tools which may modify the
>>directory, it's best to use the -R option and than manually
>>chase the referral by reissuing the command to the
>>You are, of course, welcome to hack up the clients to support
>>rebinding... (I would welcome patches that implement rebind
>>in a manner that provided adequate transmission of credentials
>>to unintended server).