So how this "trust relationship" has to be described
in OpenLDAP terminology? Is there any existing standard
In other words if developer want to implement
automatic referral chasing , how he should describe,
interpreat or enforce "trust relationship?
Should it happened through config files or ...?
----- Original Message -----
Sent: Sunday, October 24, 2004 2:46 AM
Subject: Re: OpenLDAP Replication - Trust or not to Trust?
> A developer may implement an LDAP client by writing a
> program that uses the LDAP and LBER libraries. When the
> program is ran, it becomes a LDAP client. ldapmodify(1)
> is such a program.
> The LDAP/LBER libraries implement interfaces (functions)
> which the developer may use to implement a program that
> automatically chases referrals.
> In implementing automatic referral chasing, one has to
> be very careful about trust relationships. Trusting a
> server enough to issue a request to it says nothing
> about whether one trusts returned referral information,
> nor does it say wether one trusts another server.
> At 06:50 PM 10/23/2004, Alex Franko wrote:
> >----- Original Message -----
> >From: "Kurt D. Zeilenga" <<mailto:Kurt@OpenLDAP.org>Kurt@OpenLDAP.org
> >To: "Alex Franko" <<mailto:firstname.lastname@example.org>email@example.com
> >Cc: <<mailto:openldap-software@OpenLDAP.org>openldap-software@OpenLDAP.org
> >Sent: Saturday, October 23, 2004 7:46 PM
> >Subject: Re: OpenLDAP Replication - Trust or not to Trust?
> >> At 01:54 PM 10/23/2004, Alex Franko wrote:
> >> >I have 3 questions on Kurt's response:
> >> >
> >> >A) Does it mean that the following scenario from chapter 13 of OpenLDAP
> >> >Administration Guide is wrong (see below):
> >> No.
> >> >B) I think that not
ldapmodify , but the Client should chase referrals.
> >> ldapmodify(1) is a LDAP client.
> >I think we are misinterpriting terminology. Under the Client I mean the set of functions like
> >(ldap_bind, ldap_add_ext_s etc) that composing Client layer. In Windows env it is oldap32.lib (in Unix/Linux it is libldap.a). This library oldap32.lib is statically compiled with ldapmodify and other tools. So the problem is in oldap32.lib - Client library.
> >So other tools (except may be ldapsearch) that using this library have to experience the
> >same problem. OpenLDAP tools should be able to use the Client Library from other
> >vendors. BTW do they have the same problem in regards to chasing referrals?
> >> >So
> >> >if Client doesn't do that it means that other operations such -
> >> &g!
ldapdelete, ldapmordn will not work also?
> >> There are, I assume, clients which do support automatic chasing
> >> of referrals. However, as noted in the admin guide,
> >> ldapmodify(1) and other tools distributed as part of OpenLDAP
> >> Software do not support automatic referral chasing.
> >> >C) So if it is not a bug should be documentation updated correspondingly?
> >> > Isn't it possible to re-develop the Clent to chase referrals for updating utilities
> >> >such as ldapmodify, etc - with consideration of security issues?
> >> ldapmodify(1) (and other OpenLDAP clients) can certainly be re-developed.
> >Not ldapmodify or other tools but the Client library.
> >> >Alex.
> >> >
> >> >"Kurt D. Zeilenga" <<mailto:Kurt@OpenLDAP.org>Kurt@OpenLDAP.org
> >> >At 12:43 PM 10/23/2004, Alex Franko wrote:
> >> >>May be I misunderstood the documentation and my expectation that Client should automatically redirect request to the Master is wrong?
> >> >
> >> >ldapmodify(1) doesn't automatically chase referrals
> >> >(for security reasons).
> >BTW what are these security reasons. The referral to Master returned after the entity
> >was sucessfully authenticated on Replica. Replica - as a part of LDAP service, "trust"
> >the authenticated entity and returns referral to its Master. What else ?
> >> >
> >> >Kurt
> >> >
> >> >
> >> >Do you Yahoo!!
! Mail Address AutoComplete - You start. We finish.
> >Do you Yahoo!?
Yahoo! Mail with you! Get it on your mobile phone.