[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slave ldap server and replication question

At 03:39 PM 2/14/00 -0500, Steve Thompson wrote:
>Warning: LDAP newbie alert. Two questions.
>First question: Master and slave are set up and working fine. 

You're pretty good for a newbie... setting up slaves isn't as
straight forward as it should be...

>The problem is when a user wishes to change their password, or a client
>administrator wants to change anything at all. The slave server that they
>contact by virtue of the /etc/ldap.conf entry knows that it is a slave and
>sends a referral to the master. The openldap clients then attempt the
>modification on the master, but by binding anonymously.

Yes.  Our client tools do not support rebinding as doing so when
simple passwords are in use is dangerous.  You can modify the
clients to do so if you wish.  There may be patches to do
such in our issue tracking system.  http://www.openldap.org/its/

>the ldap clients appear not to call ldap_set_rebind_proc()
>anywhere. This is clearly a no-no.

Yes. It's a no-no to bindly chase referrals.

>Obviously I can point my administrators at the master, but a client
>embedded inside a passwd command appears to have no such option.

If you are referring out our clients, yes, we don't provide clients
which rebind.

>I can't point my clients all at the master though as
>they may be several hundred miles apart over a low-bandwidth link. Thus,
>the use of a slave to which clients are pointed initially cannot be done
>at all in this scenario, if I use openldap. Am I right? Hopefully not.

If you are solely using our clients, we don't rebind.  However,
other clients (including hacked versions of our clients) can 
rebind if they choose.

>Second question: I can get replication to work using bindmethod=simple
>only if I also use credentials=clear-text-password in the master's
>slapd.conf file. Using credentials={crypt}encrypted-password does not work
>at all, even though the database contains an encrypted {crypt}xxxxx
>userpassword for the cn=replicator entry. Bug or feature?

Feature.  See the archives.