Chavez, James R. wrote: > > > Howard Chu wrote: > >>> Date: Mon, 2 Feb 2009 13:26:18 -0800 >>> From: "Chavez, James R."<james.chavez at sanmina-sci.com> >>> >>> Hi Rich, >>> Thank you for your previous response..The answer was actually >>> embedded within your statement I believe. >>> >>> "This is a problem in general with some older clients that do not >>> know how to properly follow LDAPv3 referrals" >>> >>> I used the mozldap ldapmodify tool and it worked to update entries >>> that I point at the consumer. I would have never guessed the >>> openldap tool would not follow LDAPv3 referrals. Maybe a switch I >>> > missed or something. > >>> Thanks again for your suggestion. >>> >> The automatic referral chasing code in OpenLDAP's command line tools >> was deprecated years ago. It's a security vulnerability: most of the >> time it will hand your username and plaintext password to any >> arbitrary server without any warning. >> >> Referrals are a gross flaw in the design of LDAP and should not be >> used. Distributed servers should use chaining to hide this detail from >> > > >> clients. Clients are not in any position to know whether or to what >> degree to trust the referred server, or what authentication domain or >> credentials are relevant on the referred server. Only the server admin >> > > >> knows these details; putting these decisions at the client is wrong. >> >> > +1 > You can set up Fedora DS to chain on update with replication - see > http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate > > > Rich this goes towards exactly what I need. From reading this article it > seems I am going to need to put hub servers between the read only > consumers. Is that an accurate statement ? > No, you don't need to have hubs. That document just shows what is possible. You can have chain on update with as little as 1 master and 1 read-only consumer. > Thanks for the link on the OpenLDAP migration as well. > > James > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090203/24a350bd/attachment.bin
