[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: updateref question and Openldap Replication

Jan-Michael Ong <jmong@adobe.com> wrote:
>updateref[TAB]"ldap://"; or
>updateref	"ldap://";
>Whenever I send a request to update/delete a member from a group to the 
>master, everything works as expected. The replication is sent to the slave 
>and everything is fine. When I send an update to the slave however, I get a 
>Referral but the changes never make it to the master. Here are the steps 
>I've taken:
>(1) /usr/local/bin/ldapmodify -f mod.ldif -v -d 256 -h 
>"myslave.mydomain.com" -p "389" -D "cn=admin,o=MyDomain" -w adminpw

Well, if you use "-d 16", you should see the actual referral (just to
verify it's returning what you expect).

On the other hand as Daniel answered takumi kubota, the clients do not
automatically chase referrals.  To chase referrals you need to give "-C"
which is only documented in the man page for ldapsearch(1).

What the manual pages do not say, though, is that when chasing referrals
they have a built-in security feature of not passing on any authentication.
That is to protect in the case of one server referring to another un-trusted
server so you can't accidentally send authentication information to a
server with a security policy that does not match your needs or that
might be compromised if you are not the administrator.

On the other hand, that does not help when you are the administrator of
both servers and all I can recommend is that you just be sure to code to
specifically bind to the master server until multi-master is deemed stable.


Philip Kizer, Senior Lead Systems Engineer, Texas A&M University
USENIX Liaison to Texas A&M University         <usenix@tamu.edu>
Texas A&M CIS Operating Systems Group, Unix   <pckizer@tamu.edu>