[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Replication - Trust or not to Trust?

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: OpenLDAP Replication - Trust or not to Trust?
From: Alex Franko <frankoalex@yahoo.com>
Date: Sun, 24 Oct 2004 13:09:38 -0700 (PDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <6.1.2.0.0.20041023232822.02dde658@127.0.0.1>

So how this "trust relationship" has to be described

in OpenLDAP terminology? Is there any existing standard

and/or semantic?

In other words if developer want to implement

automatic referral chasing , how he should describe,

interpreat or enforce "trust relationship?

Should it happened through config files or ...?

Thank you,

Avet.

----- Original Message -----

From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

To: "Alex Franko" <frankoalex@yahoo.com>

Cc: <openldap-software@OpenLDAP.org>

Sent: Sunday, October 24, 2004 2:46 AM

Subject: Re: OpenLDAP Replication - Trust or not to Trust?

> A developer may implement an LDAP client by writing a
> program that uses the LDAP and LBER libraries. When the
> program is ran, it becomes a LDAP client. ldapmodify(1)
> is such a program.
>
> The LDAP/LBER libraries implement interfaces (functions)
> which the developer may use to implement a program that
> automatically chases referrals.
>
> In implementing automatic referral chasing, one has to
> be very careful about trust relationships. Trusting a
> server enough to issue a request to it says nothing
> about whether one trusts returned referral information,
> nor does it say wether one trusts another server.
>
> Kurt
>
> At 06:50 PM 10/23/2004, Alex Franko wrote:
> >
> >----- Original Message -----
> >From: "Kurt D. Zeilenga" <<mailto:Kurt@OpenLDAP.org>Kurt@OpenLDAP.org>
> >To: "Alex Franko" <<mailto:frankoalex@yahoo.com>frankoalex@yahoo.com>
> >Cc: <<mailto:openldap-software@OpenLDAP.org>openldap-software@OpenLDAP.org>
> >Sent: Saturday, October 23, 2004 7:46 PM
> >Subject: Re: OpenLDAP Replication - Trust or not to Trust?
> >
> >> At 01:54 PM 10/23/2004, Alex Franko wrote:
> >> >I have 3 questions on Kurt's response:
> >> >
> >> >A) Does it mean that the following scenario from chapter 13 of OpenLDAP
> >> >Administration Guide is wrong (see below):
> >>
> >> No.
> >>
> >> >B) I think that not ldapmodify , but the Client should chase referrals.
> >>
> >> ldapmodify(1) is a LDAP client.
> >I think we are misinterpriting terminology. Under the Client I mean the set of functions like
> >(ldap_bind, ldap_add_ext_s etc) that composing Client layer. In Windows env it is oldap32.lib (in Unix/Linux it is libldap.a).   This library oldap32.lib is statically compiled with ldapmodify and other tools. So the problem is in oldap32.lib - Client library.
> >So other tools (except may be ldapsearch) that using this library have to experience the
> >same problem. OpenLDAP tools should be able to use the Client Library from other
> >vendors. BTW do they have the same problem in regards to chasing referrals?
> >
> >Alex.
> >>
> >> >So
> >> >if Client doesn't do that it means that other operations such -
> >> &g! t;- ldapdelete, ldapmordn will not work also?
> >>
> >> There are, I assume, clients which do support automatic chasing
> >> of referrals. However, as noted in the admin guide,
> >>   ldapmodify(1) and other tools distributed as part of OpenLDAP
> >>   Software do not support automatic referral chasing.
> >>
> >> >C) So if it is not a bug should be documentation updated correspondingly?
> >> >     Isn't it possible to re-develop the Clent to chase referrals for updating utilities
> >> >such as ldapmodify, etc - with consideration of security issues?
> >>
> >> ldapmodify(1) (and other OpenLDAP clients) can certainly be re-developed.
> >Not ldapmodify or other tools but the Client library.
> >Alex.
> >>
> >> >Alex.
> >> >
&! gt; >> >
> >> >"Kurt D. Zeilenga" <<mailto:Kurt@OpenLDAP.org>Kurt@OpenLDAP.org> wrote:
> >> >At 12:43 PM 10/23/2004, Alex Franko wrote:
> >> >>May be I misunderstood the documentation and my expectation that Client should automatically redirect request to the Master is wrong?
> >> >
> >> >ldapmodify(1) doesn't automatically chase referrals
> >> >(for security reasons).
> >BTW what are these security reasons. The referral to Master returned after the entity
> >was sucessfully authenticated on Replica. Replica - as a part of LDAP service, "trust"
> >the authenticated entity and returns referral to its Master. What else ?
> >
> >Alex.
> >> >
> >> >Kurt
> >> >
> >> >
> >> >Do you Yahoo!! ?
> >> ><<http://us.rd.yahoo.com/mail_us/taglines/aac/*http://promotions.yahoo.com/new_mail/static/ease.html>Yahoo>http://us.rd.yahoo.com/mail_us/taglines/aac/*http://promotions.yahoo.com/new_mail/static/ease.html>Yahoo! Mail Address AutoComplete - You start. We finish.
> >>
> >
> >
> >Do you Yahoo!?
> ><http://us.rd.yahoo.com/mail_us/taglines/mobile/*http://mobile.yahoo.com/maildemo>Take Yahoo! Mail with you! Get it on your mobile phone.
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam prote! ction around
http://mail.yahoo.com

References:
- Re: OpenLDAP Replication - Trust or not to Trust?
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: "Standard" PIM attributes
Next by Date: RE: problem with ldapsearch/TLS ( or Fedora Core 2?? )
Index(es):
- Chronological
- Thread