[Date Prev][Date Next]
Re: Referral -> insufficient access
At 08:41 AM 9/3/99 -0700, Kurt D. Zeilenga wrote:
>At 11:37 AM 9/3/99 +0200, Frédéric Poels wrote:
>>How comes it works (using the same OpenLDAP ldap* tools) with another
>>I cannot manage to find a "-R" option to ldapadd (the one that comes with
>My mistake. The tools which do modification don't have -R as
>this *should* be the default behavior (to not chase referrals).
>It actually looks like they do not actually set don't chase.
>IMO, that's a bug.
My mistake, again... I really should finish my morning caffenie
intake before posting :-). I had 2.0-devel on my brain.
With OpenLDAP 1.2 referrals must be explicitly enabled, hence
>In fact, for ldapsearch w/ simple password, the default should
>be off. All commands should have a feature to enable chasing
>with and without prompting.
> -R disable referral chasing
> -C enable referral chasing with prompting
> -CC enable referral chasing without prompting
>The default should depend upon the authentication mechanism
>>Thanks for your help!
>>At 13:12 2/09/99 -0700, you wrote:
>>>At 07:12 PM 9/2/99 +0200, Frédéric Poels wrote:
>>>>I am running slapd 1.2.6 on two AIX machines, replicating from one to
>>>>Replication works fine wrom Master to Slave. Changes applied to the Master
>>>>are replicated to the slave. Changes applied to the slave return an
>>>>"Insufficient access" error.
>>>Changes to the slave should be referred to the master. The
>>>client should automatically chase this referral. However,
>>>many clients (including OpenLDAP ldap* tools) do not support
>>>rebind when simple bind is in use. This is a security feature.
>>>As OpenLDAP 1.x only implements simple bind, all of the
>>>provided clients do not rebind when chasing referrals.
>>>When using the command line tools which may modify the
>>>directory, it's best to use the -R option and than manually
>>>chase the referral by reissuing the command to the
>>>You are, of course, welcome to hack up the clients to support
>>>rebinding... (I would welcome patches that implement rebind
>>>in a manner that provided adequate transmission of credentials
>>>to unintended server).