Date: Mon, 2 Feb 2009 13:26:18 -0800 From: "Chavez, James R."<james.chavez@xxxxxxxxxxxxxxx>
Hi Rich, Thank you for your previous response..The answer was actually embedded within your statement I believe. "This is a problem in general with some older clients that do not know how to properly follow LDAPv3 referrals" I used the mozldap ldapmodify tool and it worked to update entries that I point at the consumer. I would have never guessed the openldap tool would not follow LDAPv3 referrals. Maybe a switch I missed or something. Thanks again for your suggestion.
The automatic referral chasing code in OpenLDAP's command line tools was deprecated years ago. It's a security vulnerability: most of the time it will hand your username and plaintext password to any arbitrary server without any warning.
Referrals are a gross flaw in the design of LDAP and should not be used. Distributed servers should use chaining to hide this detail from clients. Clients are not in any position to know whether or to what degree to trust the referred server, or what authentication domain or credentials are relevant on the referred server. Only the server admin knows these details; putting these decisions at the client is wrong.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
