----- Original Message -----
Sent: Saturday, October 23, 2004 7:46 PM
Subject: Re: OpenLDAP Replication - Trust or not to Trust?
> At 01:54 PM 10/23/2004, Alex Franko wrote:
> >I have 3 questions on Kurt's response:
> >
> >A) Does it mean that the following scenario from chapter 13 of OpenLDAP
> >Administration Guide is wrong (see below):
>
> No.
>
> >B) I think that not ldapmodify , but the Client should chase referrals.
>
> ldapmodify(1) is a LDAP client.
I think we are misinterpriting terminology. Under the Client I mean the set of functions like
(ldap_bind, ldap_add_ext_s etc) that composing Client layer. In Windows env it is oldap32.lib (in Unix/Linux it is libldap.a). This library oldap32.lib is statically compiled with ldapmodify and other tools. So the problem is in oldap32.lib - Client library.
So other tools (except may be ldapsearch) that using this library have to experience the
same problem. OpenLDAP tools should be able to use the Client Library from other
vendors. BTW do they have the same problem in regards to chasing referrals?
Alex.
>
> >So
> >if Client doesn't do that it means that other operations such -
> >- ldapdelete, ldapmordn will not work also?
>
> There are, I assume, clients which do support automatic chasing
> of referrals. However, as noted in the admin guide,
> ldapmodify(1) and other tools distributed as part of OpenLDAP
> Software do not support automatic referral chasing.
>
> >C) So if it is not a bug should be documentation updated correspondingly?
> > Isn't it possible to re-develop the Clent to chase referrals for updating utilities
> >such as ldapmodify, etc - with consideration of security issues?
>
> ldapmodify(1) (and other OpenLDAP clients) can certainly be re-developed.
Not ldapmodify or other tools but the Client library.
Alex.
>
> >Alex.
> >
> >
> >"Kurt D. Zeilenga" <
Kurt@OpenLDAP.org> wrote:
> >At 12:43 PM 10/23/2004, Alex Franko wrote:
> >>May be I misunderstood the documentation and my expectation that Client should automatically redirect request to the Master is wrong?
> >
> >ldapmodify(1) doesn't automatically chase referrals
> >(for security reasons).
BTW what are these security reasons. The referral to Master returned after the entity
was sucessfully authenticated on Replica. Replica - as a part of LDAP service, "trust"
the authenticated entity and returns referral to its Master. What else ?
Alex.