[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Referral
On Tuesday 08 July 2008 20:00:56 Govind c wrote:
> We have openldap version(-2.2.13-7.4E) installed as master and slave (on
> two different systems) with replication configured between them.
>
> When we try to a ldapmodify on the slave it returns the following message
>
> #ldapmodify -x -hlocalhost -p389 -v -D'cn=Directory Manager, o=del.com' -w
> dgtyrh -f a
>
> ldap_initialize( ldap://localhost:389 )
> replace CurrentVersion:
> 2.0.txt1
> modifying entry "cn=options-server-tr,ou=App-test,o=del.com"
> modify complete
> ldap_modify: Referral (10)
> referrals:
>
> ldap://100.115.23.156:389/cn=options-server-tr,ou=App-test,o=del.com
So, why don't you retry the modification against 100.115.23.156? Or, since you
know which is the master, why don't you always run changes against the
master?
> However the changes are not reflected.
The fact that you got a referral back does indicate that no changes were made
on the LDAP server you tried to run the modifications against.
> Browsing the internet,I found that
> ldapmodify doesn`t have the capability to chase referrals and but the
> openldap API allows to write clients that do the chasing.
Since ldapmodify is an administrative utility, the person using it is expected
to be able to be in the position to determine the security impact of
following the referral. Since ldapmodify is not in such a position, it
intentionally will not follow referrals.
> Is this statement
> valid for this version of openldap too?
Since it is quite possible for an LDAP server to return referrals to LDAP
servers that are outside the security control of the administrator of the
first LDAP server (see e.g. back-dnssrv), no, nothing has changed.
> Is chaining the other alernative for chasing referrals?
Well, the real question is why you think you need anything besides what you
have. The OpenLDAP utilities do no chase referrals (except anonymously in the
case of ldapsearch), but most other tools that you would need to have chase
referrals (e.g. pam_ldap) do. Since I can't see why you would need the
OpenLDAP utilities to chase referrals (apply logic at layer 8 instead), I
don't see why you have a problem.
But, yes, an alternative means (for clients that don't have the ability to
chase referrals, be it due to insufficient control available to the user or
lack of automatic referral chasing), for ensuring that changes sent to a
slave arrive at the master is the use of the chain overlay.
- References:
- Referral
- From: Govind c <govindo@yahoo.com>