[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Replication - Trust or not to Trust?

A developer may implement an LDAP client by writing a
program that uses the LDAP and LBER libraries.  When the
program is ran, it becomes a LDAP client.  ldapmodify(1)
is such a program.

The LDAP/LBER libraries implement interfaces (functions)
which the developer may use to implement a program that
automatically chases referrals.

In implementing automatic referral chasing, one has to
be very careful about trust relationships.  Trusting a
server enough to issue a request to it says nothing
about whether one trusts returned referral information,
nor does it say wether one trusts another server.


At 06:50 PM 10/23/2004, Alex Franko wrote:
>----- Original Message ----- 
>From: "Kurt D. Zeilenga" <<mailto:Kurt@OpenLDAP.org>Kurt@OpenLDAP.org>
>To: "Alex Franko" <<mailto:frankoalex@yahoo.com>frankoalex@yahoo.com>
>Cc: <<mailto:openldap-software@OpenLDAP.org>openldap-software@OpenLDAP.org>
>Sent: Saturday, October 23, 2004 7:46 PM
>Subject: Re: OpenLDAP Replication - Trust or not to Trust?
>> At 01:54 PM 10/23/2004, Alex Franko wrote:
>> >I have 3 questions on Kurt's response:
>> >
>> >A) Does it mean that the following scenario from chapter 13 of  OpenLDAP
>> >Administration Guide is wrong (see below):
>> No.
>> >B) I think that not  ldapmodify , but the Client should chase referrals.
>> ldapmodify(1) is a LDAP client.
>I think we are misinterpriting terminology.  Under the Client I mean the set of functions like
>(ldap_bind, ldap_add_ext_s etc) that composing Client layer. In Windows env it is oldap32.lib (in Unix/Linux it is libldap.a).   This library oldap32.lib is statically compiled with ldapmodify and other tools. So the problem is in oldap32.lib - Client library. 
>So other tools (except may be ldapsearch) that using this library  have to experience the 
>same problem. OpenLDAP tools should be able to use the Client Library from other
>vendors. BTW do they have the same problem in regards to chasing referrals?
>> >So
>> >if  Client doesn't do that it means that other operations such -
>> >- ldapdelete, ldapmordn will not work also?
>> There are, I assume, clients which do support automatic chasing
>> of referrals.  However, as noted in the admin guide,
>>   ldapmodify(1) and other tools distributed as part of OpenLDAP
>>   Software do not support automatic referral chasing. 
>> >C) So if it is not a bug should be documentation updated correspondingly?
>> >     Isn't it possible to re-develop the Clent to chase referrals for updating utilities
>> >such as ldapmodify, etc  - with consideration of security issues?
>> ldapmodify(1) (and other OpenLDAP clients) can certainly be re-developed.
>Not ldapmodify or other tools but the Client library.
>> >Alex.
>> >
>> >
>> >"Kurt D. Zeilenga" <<mailto:Kurt@OpenLDAP.org>Kurt@OpenLDAP.org> wrote:
>> >At 12:43 PM 10/23/2004, Alex Franko wrote:
>> >>May be I misunderstood the documentation and my expectation that Client should automatically redirect request to the Master is wrong? 
>> >
>> >ldapmodify(1) doesn't automatically chase referrals
>> >(for security reasons).
>BTW what are these security reasons. The referral to Master returned after the entity 
>was sucessfully authenticated on Replica. Replica - as a part of LDAP service,  "trust"
>the authenticated entity and returns referral to its Master. What else ?
>> >
>> >Kurt 
>> >
>> >
>> >Do you Yahoo!?
>> ><<http://us.rd.yahoo.com/mail_us/taglines/aac/*http://promotions.yahoo.com/new_mail/static/ease.html>Yahoo>http://us.rd.yahoo.com/mail_us/taglines/aac/*http://promotions.yahoo.com/new_mail/static/ease.html>Yahoo! Mail Address AutoComplete - You start. We finish. 
>Do you Yahoo!?
><http://us.rd.yahoo.com/mail_us/taglines/mobile/*http://mobile.yahoo.com/maildemo>Take Yahoo! Mail with you! Get it on your mobile phone.