[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Using the referrals in (Open)LDAP? [Virus checked]

>Referrals are an ill-defined ill-supported wart in the LDAP protocol. It's
>best to avoid them if you can. In particular, the spec provides zero guidance
>on how to handle security issues. E.g., if you query server A using ldaps or
>StartTLS, should you use the same level of security when talking to server B?
>Should the client assume that the same username and password for server A is
>valid on server B? If not, how does the client decide which user identity to
>assert on server B? What if you performed a SASL bind, and server B doesn't
>support the same SASL mechs as server A?

I'm a bit disapointed here. I can accept that LDAP has some limitations because of the distributed-directory nature, but this is exactly the kind of stuff i DO expect a distributed directory to be good at. :-(

>In OpenLDAP the way to avoid using referrals is to use back-ldap and address
>these issues explicitly, by defining all the necessary knowledge information
>in the back-ldap configuration and obviating the client from having to deal

>with it.

OK, if referrals are no-good, I have nothing against using another mechanism that works better. :-)

Can I use back-ldap (or back-meta?) together with back-bdb on the same server?
        back-bdb would serve the local stuff, and back-ldap/meta would assure that remote data is transparently         served to clients.

Are there any limitations on using back-ldap/back-meta data for binds?