Re: OpenLDAP Replication - Trust or not to Trust?

["Pierangelo Masarati" <ando@sys-net.it>]

> Alex Franko wrote:
>> But the sequence is broken at the beginning on step (b). The Client
>> receives referral, and exits with the error message:
>> *****************************************
>> ldap_perror
>> ldap_add: Referral (10)
>> referrals:
>> ldap://127.0.0.1:389/o=myorg,c=US
>> ldap_unbind
>> ldap_free_request (origid 2, msgid 2)
>> ldap_free_connection
>> ldap_send_unbind;
> why don't you catch that error, take the referral and do a rebind?
> AFAIK, there is no "trust" between the master and the slave. Generally
> speaken, you cannot assume that a set of credentials that works for the
> slave will also work for the master (if credentials are stored in the
> DIT itself it is very likely though). The original question probably was
> if the library can do this for you and I must admit here: I don't know
> ;) (reading Kurts reply I guess it wont).

The library can: see ldap_set_rebind_proc() (no man page, sorry). 
However, how to do the rebind is __VERY__ client __AND__ (master, slave)
DSA dependent.  The most trivial way is to reuse the DN and the password
used for the first bind attempt; but this assumes that simple bind is to
be used in both cases, and that the referral can accept this type of
identity assessment.  As such, too many assumptions are required, so, for
the sake of security, OpenLDAP tools don't do that.  Feel free to modify
ldapmodify(1) to rebind this way, if this is what you need.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497