LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] ldap vs. nis...

[ILUG] ldap vs. nis...

Paul Jakma paul at clubi.ie
Thu Jul 12 12:27:12 IST 2001 

On Thu, 12 Jul 2001, kevin lyda wrote:

> on the surface that seems dumb.

yes it sort of is.

and it's actually more dumb than 'just doesn't work'. because for the
most part referrals work really well. it goes like:

app: i'd like to read o=foo please, and by the way i have a login (a
   DN) of uid=app,dc=etc and a password to go with that
<library goes and connects with DN="uid=app,dc=etc" and does the
     work>
server: uhmmm.. there ya go
xyz: i'd like to update o=foo with ...
<library goes off .... >
server: uhmm... sorry if you want to write to that, talk to xyz
<library follows the referral and connects to xyz with DN="">
                                                       ^^^^^
server: sorry you don't have write access

and that is just plain plain silly. so referrals will work 99% of the
time, as long as there are no restrictive ACLs on the object you
referred to.

and the app won't know that the reason the lookup failed is because
of a referral and the openldap libs binding with a blank DN.

worse: the setup above is very common - cluster of replicated LDAP
servers, only the master allows writes. you can read from the slaves
and if you try to write you will be referred to the master (if the
slave is configured properly).

a read/write LDAP app working with such a cluster of LDAP machines
needs to tell the OpenLDAP libs to not follow referrals, but instead
pass the referral back to the app so that the app can follow it
itself by binding with the proper DN. (and every LDAP browser i've
tried so far is not aware of this requirement).

silly silly sillly silly imo. but the openldap developers say this is
the way it should be.

> kevin

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org
PGP5 key: http://www.clubi.ie/jakma/publickey.txt
-------------------------------------------
Fortune:
Money can't buy happiness, but it can make you awfully comfortable while
you're being miserable.
		-- C.B. Luce

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell