Updating Consumer replicafails referralto the master from the console.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Chavez, James R. wrote:
>  
>
> Howard Chu wrote:
>   
>>> Date: Mon, 2 Feb 2009 13:26:18 -0800
>>> From: "Chavez, James R."<james.chavez at sanmina-sci.com>
>>>       
>>> Hi Rich,
>>> Thank you for your previous response..The answer was actually 
>>> embedded within your statement I believe.
>>>
>>> "This is a problem in general with some older clients that do not 
>>> know how to properly follow LDAPv3 referrals"
>>>
>>> I used the mozldap ldapmodify tool and it worked to update entries 
>>> that I point at the consumer.  I would have never guessed the 
>>> openldap tool would not follow LDAPv3 referrals. Maybe a switch I
>>>       
> missed or something.
>   
>>> Thanks again for your suggestion.
>>>       
>> The automatic referral chasing code in OpenLDAP's command line tools 
>> was deprecated years ago. It's a security vulnerability: most of the 
>> time it will hand your username and plaintext password to any 
>> arbitrary server without any warning.
>>
>> Referrals are a gross flaw in the design of LDAP and should not be 
>> used. Distributed servers should use chaining to hide this detail from
>>     
>
>   
>> clients. Clients are not in any position to know whether or to what 
>> degree to trust the referred server, or what authentication domain or 
>> credentials are relevant on the referred server. Only the server admin
>>     
>
>   
>> knows these details; putting these decisions at the client is wrong.
>>
>>     
> +1
> You can set up Fedora DS to chain on update with replication - see
> http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate
>
>
> Rich this goes towards exactly what I need. From reading this article it
> seems I am going to need to put hub servers between the read only
> consumers. Is that an accurate statement ?
>   
No, you don't need to have hubs.  That document just shows what is 
possible.  You can have chain on update with as little as 1 master and 1 
read-only consumer.
> Thanks for the link on the OpenLDAP migration as well.
>
> James 
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090203/24a350bd/attachment.bin 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux