----- Original Message -----
Sent: Monday, October 25, 2004 5:39 AM
Subject: Re: OpenLDAP Replication - Trust or not to Trust?
>
> > Alex Franko wrote:
> >> But the sequence is broken at the beginning on step (b). The Client
> >> receives referral, and exits with the error message:
> >> *****************************************
> >> ldap_perror
> >> ldap_add: Referral (10)
> >> referrals:
> >>
ldap://127.0.0.1:389/o=myorg,c=US> >> ldap_unbind
> >> ldap_free_request (origid 2, msgid 2)
> >> ldap_free_connection
> >> ldap_send_unbind;
> > why don't you catch that error, take the referral and do a rebind?
Sure you can. The question is what is the correct way to do that. (See further).
> > AFAIK, there is no "trust" between the master and the slave. Generally
> > speaken, you cannot assume that a set of credentials that works for the
> > slave will also work for the master (if credentials are stored in the
> > DIT itself it is very likely though). The original question probably was
> > if the library can do this for you and I must admit here: I don't know
> > ;) (reading Kurts reply I guess it wont).
>
> The library can: see ldap_set_rebind_proc() (no man page, sorry).
> However, how to do the rebind is __VERY__ client __AND__ (master, slave)
> DSA dependent. The most trivial way is to reuse the DN and the password
> used for the first bind attempt; but this assumes that simple bind is to
> be used in both cases, and that the referral can accept this type of
> identity assessment. As such, too many assumptions are required, so, for
> the sake of security, OpenLDAP tools don't do that. Feel free to modify
> ldapmodify(1) to rebind this way, if this is what you need.
>
> p.
Again I'm convinced that not ldapmofiy(1) should be modified but what I was calling LDAP
Client (set of ldap_xxx_ routines), to allow other tools (not only ldapmodify(1)) to use
the authomatic referral chasing. This feature must be optional: ldapmodify(1) and/or
other tools has to set that option - to use referral chasing or not.
Inside of LDAP Client there are different methods to implement this feature (as always):
The IMPORTANT QUESTION is:
Is there any existing standard and/or semantic, for simple re-bind case defined in RFCs, drafts or other LDAP related documentation.
Are you aware about commercial implementations of LDAP Server like Netscape or SUN?
How these Servers handling referral chasing and related problems like re-bind etc.?