[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: PADL libraries handling of update referrals
>> However we've run into what seems to be a problem with
>> clients. In trying to update a password for an account from an LDAP
>> client, it looks like the update works if we point the client at the
>> master, but fails if we point the client at the slave.
>>
>>
>>
>> The "client" is the unix passwd command that has been
>> configured to use the PADL pam and nss libraries. Logins queries and
>> everything read oriented work perfectly, but it looks like the client
>> is choking on the referral from the slave.
>>
>>
>>
>> Do the PADL libraries follow referrals? If not, is there a
>> parameter we can put in the pam configuration to direct it to the
>> master instead of the slave? We'd like to have queries go to the
>> replication points, while updates get passed up to the master -- is
>> there another way to do this?
>
> Steve,
>
> This sounds like a question for the PADL list. See the bottom of this
> page:
>
> <http://www.padl.com/Contents/OpenSourceSoftware.html>
Let me add that writing to a slave in general results
in the slave returning a referral to the master,
unless you (the client) intendedly ask for automatical
referral chasing, and provide an appropriate rebind
callback (see the man page for ldap_bind and the C API
rfc for details). However, to ask for automatic
referral chase, especially when writing passwords, is
not a good practice,because it may lead to exposing
the user's credentials if the referral mechanism is
somehow broken. In fact, if someone binds to a server,
it is supposed that (s)he trusts that server. So, if
the server returns a referral, one can decide whether
(s)he intends to trust the referral as well, and
propagate the bind accordingly. Of course, this is
only academy if you're working in a protected
environment. In any case, you need to check with
www.padl.com if referral chasing and safe rebind can
be set with their software.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it