Chavez, James R. wrote:
No, you don't need to have hubs. That document just shows what is possible. You can have chain on update with as little as 1 master and 1 read-only consumer.Howard Chu wrote:Date: Mon, 2 Feb 2009 13:26:18 -0800 From: "Chavez, James R."<[email protected]>Hi Rich, Thank you for your previous response..The answer was actually embedded within your statement I believe."This is a problem in general with some older clients that do not know how to properly follow LDAPv3 referrals"I used the mozldap ldapmodify tool and it worked to update entries that I point at the consumer. I would have never guessed the openldap tool would not follow LDAPv3 referrals. Maybe a switch Imissed or something.The automatic referral chasing code in OpenLDAP's command line tools was deprecated years ago. It's a security vulnerability: most of the time it will hand your username and plaintext password to any arbitrary server without any warning.Thanks again for your suggestion.Referrals are a gross flaw in the design of LDAP and should not be used. Distributed servers should use chaining to hide this detail fromclients. Clients are not in any position to know whether or to what degree to trust the referred server, or what authentication domain or credentials are relevant on the referred server. Only the server adminknows these details; putting these decisions at the client is wrong.+1 You can set up Fedora DS to chain on update with replication - see http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate Rich this goes towards exactly what I need. From reading this article it seems I am going to need to put hub servers between the read only consumers. Is that an accurate statement ?
Thanks for the link on the OpenLDAP migration as well.JamesCONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
