Re: Updating Consumer replica failsreferralto the master from the console.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Chavez, James R. wrote:

Howard, Thank you for the insight..I have seen your posts on other
mailing lists and will definitely take what you said into consideration.
I will look to implement chaining soon. However is it possible to
implement chaining over SSL using simple authentication and not
certificate based authentication? I believe I had read it was not but I
may be mistaken.

Yes.  You can set up any sort of SSL without requiring cert based auth.

And since you posted let me ask you this..Is it possible to extend the
FDS schema to include the yast.schema extension that OpenLDAP contains
in the SUSE OpenLDAP package. I am looking for the "susegrouptemplate"
object class and such.

Yes - see http://directory.fedoraproject.org/wiki/Howto:OpenLDAPMigration
Thank you again James 
-----Original Message-----
From: fedora-directory-users-bounces@xxxxxxxxxx
[mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Howard
Chu
Sent: Tuesday, February 03, 2009 1:49 PM
To: fedora-directory-users@xxxxxxxxxx
Subject: RE:  Updating Consumer replica
failsreferralto the master from the console.



Date: Mon, 2 Feb 2009 13:26:18 -0800
From: "Chavez, James R."<james.chavez@xxxxxxxxxxxxxxx>



Hi Rich,
Thank you for your previous response..The answer was actually embedded



within your statement I believe.

"This is a problem in general with some older clients that do not know



how to properly follow LDAPv3 referrals"
I used the mozldap ldapmodify tool and it worked to update entries that I point at the consumer. I would have never guessed the openldap 


tool would not follow LDAPv3 referrals. Maybe a switch I missed or

something.

Thanks again for your suggestion.


The automatic referral chasing code in OpenLDAP's command line tools was
deprecated years ago. It's a security vulnerability: most of the time it
will hand your username and plaintext password to any arbitrary server
without any warning.

Referrals are a gross flaw in the design of LDAP and should not be used.

Distributed servers should use chaining to hide this detail from
clients. Clients are not in any position to know whether or to what degree to 
trust the referred server, or what authentication domain or credentials
are relevant on the referred server. Only the server admin knows these
details; putting these decisions at the client is wrong.

<<attachment: smime.p7s>>

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux