[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Referral



On Tuesday 08 July 2008 20:00:56 Govind c wrote:
> We have openldap version(-2.2.13-7.4E) installed as master and slave (on
> two different systems) with replication configured between them.
>
> When we try to a ldapmodify on the slave it returns the following message
>
> #ldapmodify -x -hlocalhost -p389 -v -D'cn=Directory Manager, o=del.com' -w
> dgtyrh -f a
>
> ldap_initialize( ldap://localhost:389 )
> replace CurrentVersion:
>         2.0.txt1
> modifying entry "cn=options-server-tr,ou=App-test,o=del.com"
> modify complete
> ldap_modify: Referral (10)
>         referrals:
>                
> ldap://100.115.23.156:389/cn=options-server-tr,ou=App-test,o=del.com

So, why don't you retry the modification against 100.115.23.156? Or, since you 
know which is the master, why don't you always run changes against the 
master?

> However the changes are not reflected.

The fact that you got a referral back does indicate that no changes were made 
on the LDAP server you tried to run the modifications against.

> Browsing the internet,I found that 
> ldapmodify doesn`t have the capability to chase referrals and but the
> openldap API allows to write clients that do the chasing.

Since ldapmodify is an administrative utility, the person using it is expected 
to be able to be in the position to determine the security impact of 
following the referral. Since ldapmodify is not in such a position, it 
intentionally will not follow referrals.

> Is this statement 
> valid for this version of openldap too?

Since it is quite possible for an LDAP server to return referrals to LDAP 
servers that are outside the security control of the administrator of the 
first LDAP server (see e.g. back-dnssrv), no, nothing has changed.

> Is chaining the other alernative for chasing referrals?

Well, the real question is why you think you need anything besides what you 
have. The OpenLDAP utilities do no chase referrals (except anonymously in the 
case of ldapsearch), but most other tools that you would need to have chase 
referrals (e.g. pam_ldap) do. Since I can't see why you would need the 
OpenLDAP utilities to chase referrals (apply logic at layer 8 instead), I 
don't see why you have a problem.

But, yes, an alternative means (for clients that don't have the ability to 
chase referrals, be it due to insufficient control available to the user or 
lack of automatic referral chasing), for ensuring that changes sent to a 
slave arrive at the master is the use of the chain overlay.