[Fedora-directory-users] Updating Consumer replica failsreferralto the master from the console.

Tue Feb 3 21:12:53 UTC 2009

Chavez, James R. wrote:
> Howard, Thank you for the insight..I have seen your posts on other
> mailing lists and will definitely take what you said into consideration.
> I will look to implement chaining soon. However is it possible to
> implement chaining over SSL using simple authentication and not
> certificate based authentication? I believe I had read it was not but I
> may be mistaken.
>   
Yes.  You can set up any sort of SSL without requiring cert based auth.
> And since you posted let me ask you this..Is it possible to extend the
> FDS schema to include the yast.schema extension that OpenLDAP contains
> in the SUSE OpenLDAP package. I am looking for the "susegrouptemplate"
> object class and such.
>   
Yes - see http://directory.fedoraproject.org/wiki/Howto:OpenLDAPMigration
>
> Thank you again 
> James 
>
> -----Original Message-----
> From: fedora-directory-users-bounces at redhat.com
> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Howard
> Chu
> Sent: Tuesday, February 03, 2009 1:49 PM
> To: fedora-directory-users at redhat.com
> Subject: RE: [Fedora-directory-users] Updating Consumer replica
> failsreferralto the master from the console.
>
>
>   
>> Date: Mon, 2 Feb 2009 13:26:18 -0800
>> From: "Chavez, James R."<james.chavez at sanmina-sci.com>
>>     
>
>   
>> Hi Rich,
>> Thank you for your previous response..The answer was actually embedded
>>     
>
>   
>> within your statement I believe.
>>
>> "This is a problem in general with some older clients that do not know
>>     
>
>   
>> how to properly follow LDAPv3 referrals"
>>
>> I used the mozldap ldapmodify tool and it worked to update entries 
>> that I point at the consumer.  I would have never guessed the openldap
>>     
>
>   
>> tool would not follow LDAPv3 referrals. Maybe a switch I missed or
>>     
> something.
>   
>> Thanks again for your suggestion.
>>     
>
> The automatic referral chasing code in OpenLDAP's command line tools was
> deprecated years ago. It's a security vulnerability: most of the time it
> will hand your username and plaintext password to any arbitrary server
> without any warning.
>
> Referrals are a gross flaw in the design of LDAP and should not be used.
>
> Distributed servers should use chaining to hide this detail from
> clients. 
> Clients are not in any position to know whether or to what degree to
> trust the referred server, or what authentication domain or credentials
> are relevant on the referred server. Only the server admin knows these
> details; putting these decisions at the client is wrong.
>
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090203/7517ac03/attachment.bin>