[Date Prev][Date Next]
Re: OpenLDAP Replication - Trust or not to Trust?
A developer may implement an LDAP client by writing a
program that uses the LDAP and LBER libraries. When the
program is ran, it becomes a LDAP client. ldapmodify(1)
is such a program.
The LDAP/LBER libraries implement interfaces (functions)
which the developer may use to implement a program that
automatically chases referrals.
In implementing automatic referral chasing, one has to
be very careful about trust relationships. Trusting a
server enough to issue a request to it says nothing
about whether one trusts returned referral information,
nor does it say wether one trusts another server.
At 06:50 PM 10/23/2004, Alex Franko wrote:
>----- Original Message -----
>From: "Kurt D. Zeilenga" <<mailto:Kurt@OpenLDAP.org>Kurt@OpenLDAP.org>
>To: "Alex Franko" <<mailto:email@example.com>firstname.lastname@example.org>
>Sent: Saturday, October 23, 2004 7:46 PM
>Subject: Re: OpenLDAP Replication - Trust or not to Trust?
>> At 01:54 PM 10/23/2004, Alex Franko wrote:
>> >I have 3 questions on Kurt's response:
>> >A) Does it mean that the following scenario from chapter 13 of OpenLDAP
>> >Administration Guide is wrong (see below):
>> >B) I think that not ldapmodify , but the Client should chase referrals.
>> ldapmodify(1) is a LDAP client.
>I think we are misinterpriting terminology. Under the Client I mean the set of functions like
>(ldap_bind, ldap_add_ext_s etc) that composing Client layer. In Windows env it is oldap32.lib (in Unix/Linux it is libldap.a). This library oldap32.lib is statically compiled with ldapmodify and other tools. So the problem is in oldap32.lib - Client library.
>So other tools (except may be ldapsearch) that using this library have to experience the
>same problem. OpenLDAP tools should be able to use the Client Library from other
>vendors. BTW do they have the same problem in regards to chasing referrals?
>> >if Client doesn't do that it means that other operations such -
>> >- ldapdelete, ldapmordn will not work also?
>> There are, I assume, clients which do support automatic chasing
>> of referrals. However, as noted in the admin guide,
>> ldapmodify(1) and other tools distributed as part of OpenLDAP
>> Software do not support automatic referral chasing.
>> >C) So if it is not a bug should be documentation updated correspondingly?
>> > Isn't it possible to re-develop the Clent to chase referrals for updating utilities
>> >such as ldapmodify, etc - with consideration of security issues?
>> ldapmodify(1) (and other OpenLDAP clients) can certainly be re-developed.
>Not ldapmodify or other tools but the Client library.
>> >"Kurt D. Zeilenga" <<mailto:Kurt@OpenLDAP.org>Kurt@OpenLDAP.org> wrote:
>> >At 12:43 PM 10/23/2004, Alex Franko wrote:
>> >>May be I misunderstood the documentation and my expectation that Client should automatically redirect request to the Master is wrong?
>> >ldapmodify(1) doesn't automatically chase referrals
>> >(for security reasons).
>BTW what are these security reasons. The referral to Master returned after the entity
>was sucessfully authenticated on Replica. Replica - as a part of LDAP service, "trust"
>the authenticated entity and returns referral to its Master. What else ?
>> >Do you Yahoo!?
>> ><<http://us.rd.yahoo.com/mail_us/taglines/aac/*http://promotions.yahoo.com/new_mail/static/ease.html>Yahoo>http://us.rd.yahoo.com/mail_us/taglines/aac/*http://promotions.yahoo.com/new_mail/static/ease.html>Yahoo! Mail Address AutoComplete - You start. We finish.
>Do you Yahoo!?
><http://us.rd.yahoo.com/mail_us/taglines/mobile/*http://mobile.yahoo.com/maildemo>Take Yahoo! Mail with you! Get it on your mobile phone.