[Fedora-directory-users] Updating Consumer replicafails referralto the master from the console.

Wed Feb 4 00:18:43 UTC 2009

Chavez, James R. wrote:
>  
>
> Howard Chu wrote:
>   
>>> Date: Mon, 2 Feb 2009 13:26:18 -0800
>>> From: "Chavez, James R."<james.chavez at sanmina-sci.com>
>>>       
>>> Hi Rich,
>>> Thank you for your previous response..The answer was actually 
>>> embedded within your statement I believe.
>>>
>>> "This is a problem in general with some older clients that do not 
>>> know how to properly follow LDAPv3 referrals"
>>>
>>> I used the mozldap ldapmodify tool and it worked to update entries 
>>> that I point at the consumer.  I would have never guessed the 
>>> openldap tool would not follow LDAPv3 referrals. Maybe a switch I
>>>       
> missed or something.
>   
>>> Thanks again for your suggestion.
>>>       
>> The automatic referral chasing code in OpenLDAP's command line tools 
>> was deprecated years ago. It's a security vulnerability: most of the 
>> time it will hand your username and plaintext password to any 
>> arbitrary server without any warning.
>>
>> Referrals are a gross flaw in the design of LDAP and should not be 
>> used. Distributed servers should use chaining to hide this detail from
>>     
>
>   
>> clients. Clients are not in any position to know whether or to what 
>> degree to trust the referred server, or what authentication domain or 
>> credentials are relevant on the referred server. Only the server admin
>>     
>
>   
>> knows these details; putting these decisions at the client is wrong.
>>
>>     
> +1
> You can set up Fedora DS to chain on update with replication - see
> http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate
>
>
> Rich this goes towards exactly what I need. From reading this article it
> seems I am going to need to put hub servers between the read only
> consumers. Is that an accurate statement ?
>   
No, you don't need to have hubs.  That document just shows what is 
possible.  You can have chain on update with as little as 1 master and 1 
read-only consumer.
> Thanks for the link on the OpenLDAP migration as well.
>
> James 
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090203/24a350bd/attachment.bin>