[Date Prev][Date Next]
Re: OpenLDAP Replication - Trust or not to Trust?
Alex Franko wrote:
> The library can: see ldap_set_rebind_proc() (no man page, sorry).
> However, how to do the rebind is __VERY__ client __AND__ (master, slave)
> DSA dependent. The most trivial way is to reuse the DN and the password
> used for the first bind attempt; but this assumes that simple bind is to
> be used in both cases, and that the referral can accept this type of
> identity assessment. As such, too many assumptions are required,
> the sake of security, OpenLDAP tools don't do that. Feel free to modify
> ldapmodify(1) to rebind this way, if this is what you need.
Again I'm convinced that not ldapmofiy(1) should be modified but what
I was calling LDAP
Client (set of ldap_xxx_ routines), to allow other tools (not only
ldapmodify(1)) to use
the authomatic referral chasing. This feature must be optional:
other tools has to set that option - to use referral chasing or not.
Inside of LDAP Client there are different methods to implement this
feature (as always):
The IMPORTANT QUESTION is:
Is there any existing standard and/or semantic, for simple re-bind
case defined in RFCs, drafts or other LDAP related documentation.
Are you aware about commercial implementations of LDAP Server like
Netscape or SUN?
How these Servers handling referral chasing and related problems like
Since you already recognize that this is a client issue, asking how
other servers handle the question is irrelevant - it is not something
servers have to deal with.
As Ando already explained, the LDAP library provides functions for
rebinding on a referral, but the OpenLDAP tools don't use these
functions. So you would need to change the code for ldapmodify(1) to
call those functions to make it work the way you want.
The question is not one of technical standards, but of site policy. When
you perform a simple bind, you send your identity and cleartext password
to the server. When you receive a referral, you have to decide whether
you can trust the referred server. If you chase a referral to a rogue
server that simply steals all the passwords that it receives, you're in
I suppose from a technical perspective, the notion of referrals in LDAP
was never well designed. I believe the best way to blunder through with
these poor designs is to use strong mutual authentication everywhere, to
reduce the chance that you will inadvertently give away your credentials
to a rogue server. I.e., don't ever use simple binds.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support