[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Referral -> insufficient access

At 08:41 AM 9/3/99 -0700, Kurt D. Zeilenga wrote:
>At 11:37 AM 9/3/99 +0200, Frédéric Poels wrote:
>>How comes it works (using the same OpenLDAP ldap* tools) with another
>>directory server?
>>I cannot manage to find a "-R" option to ldapadd (the one that comes with
>>OpenLDAP 1.2.6).
>My mistake.  The tools which do modification don't have -R as
>this *should* be the default behavior (to not chase referrals).
>It actually looks like they do not actually set don't chase.
>IMO, that's a bug.

My mistake, again... I really should finish my morning caffenie
intake before posting :-).   I had 2.0-devel on my brain.

With OpenLDAP 1.2 referrals must be explicitly enabled, hence
no bug.

>In fact, for ldapsearch w/ simple password, the default should
>be off.  All commands should have a feature to enable chasing
>with and without prompting.
>  -R	disable referral chasing
>  -C	enable referral chasing with prompting
>  -CC	enable referral chasing without prompting
>The default should depend upon the authentication mechanism
>in use.
>>Thanks for your help!
>>At 13:12 2/09/99 -0700, you wrote:
>>>At 07:12 PM 9/2/99 +0200, Frédéric Poels wrote:
>>>>I am running slapd 1.2.6 on two AIX machines, replicating from one to
>>>>Replication works fine wrom Master to Slave. Changes applied to the Master
>>>>are replicated to the slave. Changes applied to the slave return an
>>>>"Insufficient access" error.
>>>Changes to the slave should be referred to the master.  The
>>>client should automatically chase this referral.  However,
>>>many clients (including OpenLDAP ldap* tools) do not support
>>>rebind when simple bind is in use.  This is a security feature.
>>>As OpenLDAP 1.x only implements simple bind, all of the
>>>provided clients do not rebind when chasing referrals.
>>>When using the command line tools which may modify the
>>>directory, it's best to use the -R option and than manually
>>>chase the referral by reissuing the command to the
>>>appropriate server.
>>>You are, of course, welcome to hack up the clients to support
>>>rebinding...  (I would welcome patches that implement rebind
>>>in a manner that provided adequate transmission of credentials
>>>to unintended server).