[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Lunch for the answer: Referral ACL question
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Steve Sullivan
> We're setting up a distributed OpenLDAP service, with a "local"
> root server and a "remote" server for a subtree, but I'm having
> trouble with the ACLs.
>
> I present ldapsearch -C queries to the local server, and for
> entries held
> in the remote subtree ldapsearch successfully follows the referral.
> It all works fine when both local and remote ACLs have:
> access to * by * read
>
> But if I use something more reasonable, like:
> access to *
> by users read
> by anonymous auth
>
> then the ldapsearch fails (no error msg, just no results).
> Looking at the debug log on the remote server, it appears that
> when I issue ldapsearch -C to the local server, when ldapsearch
> follows the referral it isn't presenting any credentials
> to the remote server ...
That's the way the command line tools work, they always chase referrals
anonymously. It's a security risk to send your password to an unknown server,
and the tools have no way of knowing the difference between a "trusted" and
"untrusted" server.
When you're setting up a cooperative distributed service, back-ldap is a
better solution than using referrals.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support