[Fedora-directory-users] Updating Consumer replicafails referralto the master from the console.
Rich Megginson
rmeggins at redhat.com
Wed Feb 4 00:18:43 UTC 2009
Chavez, James R. wrote:
>
>
> Howard Chu wrote:
>
>>> Date: Mon, 2 Feb 2009 13:26:18 -0800
>>> From: "Chavez, James R."<james.chavez at sanmina-sci.com>
>>>
>>> Hi Rich,
>>> Thank you for your previous response..The answer was actually
>>> embedded within your statement I believe.
>>>
>>> "This is a problem in general with some older clients that do not
>>> know how to properly follow LDAPv3 referrals"
>>>
>>> I used the mozldap ldapmodify tool and it worked to update entries
>>> that I point at the consumer. I would have never guessed the
>>> openldap tool would not follow LDAPv3 referrals. Maybe a switch I
>>>
> missed or something.
>
>>> Thanks again for your suggestion.
>>>
>> The automatic referral chasing code in OpenLDAP's command line tools
>> was deprecated years ago. It's a security vulnerability: most of the
>> time it will hand your username and plaintext password to any
>> arbitrary server without any warning.
>>
>> Referrals are a gross flaw in the design of LDAP and should not be
>> used. Distributed servers should use chaining to hide this detail from
>>
>
>
>> clients. Clients are not in any position to know whether or to what
>> degree to trust the referred server, or what authentication domain or
>> credentials are relevant on the referred server. Only the server admin
>>
>
>
>> knows these details; putting these decisions at the client is wrong.
>>
>>
> +1
> You can set up Fedora DS to chain on update with replication - see
> http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate
>
>
> Rich this goes towards exactly what I need. From reading this article it
> seems I am going to need to put hub servers between the read only
> consumers. Is that an accurate statement ?
>
No, you don't need to have hubs. That document just shows what is
possible. You can have chain on update with as little as 1 master and 1
read-only consumer.
> Thanks for the link on the OpenLDAP migration as well.
>
> James
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090203/24a350bd/attachment.bin>
More information about the Fedora-directory-users
mailing list