[Fedora-directory-users] Updating Consumer replica failsreferralto the master from the console.
Chavez, James R.
james.chavez at sanmina-sci.com
Tue Feb 3 20:56:26 UTC 2009
Howard, Thank you for the insight..I have seen your posts on other
mailing lists and will definitely take what you said into consideration.
I will look to implement chaining soon. However is it possible to
implement chaining over SSL using simple authentication and not
certificate based authentication? I believe I had read it was not but I
may be mistaken.
And since you posted let me ask you this..Is it possible to extend the
FDS schema to include the yast.schema extension that OpenLDAP contains
in the SUSE OpenLDAP package. I am looking for the "susegrouptemplate"
object class and such.
Thank you again
James
-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Howard
Chu
Sent: Tuesday, February 03, 2009 1:49 PM
To: fedora-directory-users at redhat.com
Subject: RE: [Fedora-directory-users] Updating Consumer replica
failsreferralto the master from the console.
> Date: Mon, 2 Feb 2009 13:26:18 -0800
> From: "Chavez, James R."<james.chavez at sanmina-sci.com>
> Hi Rich,
> Thank you for your previous response..The answer was actually embedded
> within your statement I believe.
>
> "This is a problem in general with some older clients that do not know
> how to properly follow LDAPv3 referrals"
>
> I used the mozldap ldapmodify tool and it worked to update entries
> that I point at the consumer. I would have never guessed the openldap
> tool would not follow LDAPv3 referrals. Maybe a switch I missed or
something.
> Thanks again for your suggestion.
The automatic referral chasing code in OpenLDAP's command line tools was
deprecated years ago. It's a security vulnerability: most of the time it
will hand your username and plaintext password to any arbitrary server
without any warning.
Referrals are a gross flaw in the design of LDAP and should not be used.
Distributed servers should use chaining to hide this detail from
clients.
Clients are not in any position to know whether or to what degree to
trust the referred server, or what authentication domain or credentials
are relevant on the referred server. Only the server admin knows these
details; putting these decisions at the client is wrong.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
More information about the Fedora-directory-users
mailing list