Howard Chu wrote: > >> Date: Mon, 2 Feb 2009 13:26:18 -0800 >> From: "Chavez, James R."<james.chavez at sanmina-sci.com> > >> Hi Rich, >> Thank you for your previous response..The answer was actually embedded >> within your statement I believe. >> >> "This is a problem in general with some older clients that do not know >> how to properly follow LDAPv3 referrals" >> >> I used the mozldap ldapmodify tool and it worked to update entries that >> I point at the consumer. I would have never guessed the openldap tool >> would not follow LDAPv3 referrals. Maybe a switch I missed or something. >> Thanks again for your suggestion. > > The automatic referral chasing code in OpenLDAP's command line tools > was deprecated years ago. It's a security vulnerability: most of the > time it will hand your username and plaintext password to any > arbitrary server without any warning. > > Referrals are a gross flaw in the design of LDAP and should not be > used. Distributed servers should use chaining to hide this detail from > clients. Clients are not in any position to know whether or to what > degree to trust the referred server, or what authentication domain or > credentials are relevant on the referred server. Only the server admin > knows these details; putting these decisions at the client is wrong. > +1 You can set up Fedora DS to chain on update with replication - see http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090203/60761f7c/attachment.bin
