Fedora directory users - Feb 2009 - RE: Updating Consumer replica fails referralto the master from the console.

> Date: Mon, 2 Feb 2009 13:26:18 -0800
> From: "Chavez, James R."<james.chavez@sanmina-sci.com>
> Hi Rich,
> Thank you for your previous response..The answer was actually embedded
> within your statement I believe.
>
> "This is a problem in general with some older clients that do not know
> how to properly follow LDAPv3 referrals"
>
> I used the mozldap ldapmodify tool and it worked to update entries that
> I point at the consumer.  I would have never guessed the openldap tool
> would not follow LDAPv3 referrals. Maybe a switch I missed or something.
> Thanks again for your suggestion.
The automatic referral chasing code in OpenLDAP''s command line tools
was
deprecated years ago. It''s a security vulnerability: most of the time
it will
hand your username and plaintext password to any arbitrary server without any 
warning.

Referrals are a gross flaw in the design of LDAP and should not be used. 
Distributed servers should use chaining to hide this detail from clients. 
Clients are not in any position to know whether or to what degree to trust the 
referred server, or what authentication domain or credentials are relevant on 
the referred server. Only the server admin knows these details; putting these 
decisions at the client is wrong.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Howard, Thank you for the insight..I have seen your posts on other
mailing lists and will definitely take what you said into consideration.
I will look to implement chaining soon. However is it possible to
implement chaining over SSL using simple authentication and not
certificate based authentication? I believe I had read it was not but I
may be mistaken.

And since you posted let me ask you this..Is it possible to extend the
FDS schema to include the yast.schema extension that OpenLDAP contains
in the SUSE OpenLDAP package. I am looking for the "susegrouptemplate"
object class and such.


Thank you again 
James 

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Howard
Chu
Sent: Tuesday, February 03, 2009 1:49 PM
To: fedora-directory-users@redhat.com
Subject: RE: [Fedora-directory-users] Updating Consumer replica
failsreferralto the master from the console.

> Date: Mon, 2 Feb 2009 13:26:18 -0800
> From: "Chavez, James R."<james.chavez@sanmina-sci.com>
> Hi Rich,
> Thank you for your previous response..The answer was actually embedded
> within your statement I believe.
>
> "This is a problem in general with some older clients that do not know
> how to properly follow LDAPv3 referrals"
>
> I used the mozldap ldapmodify tool and it worked to update entries 
> that I point at the consumer.  I would have never guessed the openldap
> tool would not follow LDAPv3 referrals. Maybe a switch I missed or
something.
> Thanks again for your suggestion.
The automatic referral chasing code in OpenLDAP''s command line tools
was
deprecated years ago. It''s a security vulnerability: most of the time
it
will hand your username and plaintext password to any arbitrary server
without any warning.

Referrals are a gross flaw in the design of LDAP and should not be used.

Distributed servers should use chaining to hide this detail from
clients. 
Clients are not in any position to know whether or to what degree to
trust the referred server, or what authentication domain or credentials
are relevant on the referred server. Only the server admin knows these
details; putting these decisions at the client is wrong.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the
addressee(s) named herein and may contain legally privileged and/or confidential
information. If you are not the intended recipient of this e-mail message, you
are hereby notified that any dissemination, distribution or copying of this
e-mail message, and any attachments thereto, is strictly prohibited.  If you
have received this e-mail message in error, please immediately notify the sender
and permanently delete the original and any copies of this email and any prints
thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT
INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic
Transactions Act or the applicability of any other law of similar substance and
effect, absent an express statement to the contrary hereinabove, this e-mail
message its contents, and any attachments hereto are not intended to represent
an offer or acceptance to enter into a contract and are not otherwise intended
to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
other person or entity.

Howard Chu wrote:
>
>> Date: Mon, 2 Feb 2009 13:26:18 -0800
>> From: "Chavez, James R."<james.chavez@sanmina-sci.com>
>
>> Hi Rich,
>> Thank you for your previous response..The answer was actually embedded
>> within your statement I believe.
>>
>> "This is a problem in general with some older clients that do not
know
>> how to properly follow LDAPv3 referrals"
>>
>> I used the mozldap ldapmodify tool and it worked to update entries that
>> I point at the consumer.  I would have never guessed the openldap tool
>> would not follow LDAPv3 referrals. Maybe a switch I missed or
something.
>> Thanks again for your suggestion.
>
> The automatic referral chasing code in OpenLDAP''s command line
tools
> was deprecated years ago. It''s a security vulnerability: most of
the
> time it will hand your username and plaintext password to any 
> arbitrary server without any warning.
>
> Referrals are a gross flaw in the design of LDAP and should not be 
> used. Distributed servers should use chaining to hide this detail from 
> clients. Clients are not in any position to know whether or to what 
> degree to trust the referred server, or what authentication domain or 
> credentials are relevant on the referred server. Only the server admin 
> knows these details; putting these decisions at the client is wrong.
>
+1
You can set up Fedora DS to chain on update with replication - see 
http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate

Chavez, James R. wrote:
> Howard, Thank you for the insight..I have seen your posts on other
> mailing lists and will definitely take what you said into consideration.
> I will look to implement chaining soon. However is it possible to
> implement chaining over SSL using simple authentication and not
> certificate based authentication? I believe I had read it was not but I
> may be mistaken.
>   
Yes.  You can set up any sort of SSL without requiring cert based
auth.
> And since you posted let me ask you this..Is it possible to extend the
> FDS schema to include the yast.schema extension that OpenLDAP contains
> in the SUSE OpenLDAP package. I am looking for the
"susegrouptemplate"
> object class and such.
>   
Yes - see
http://directory.fedoraproject.org/wiki/Howto:OpenLDAPMigration
>
> Thank you again 
> James 
>
> -----Original Message-----
> From: fedora-directory-users-bounces@redhat.com
> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Howard
> Chu
> Sent: Tuesday, February 03, 2009 1:49 PM
> To: fedora-directory-users@redhat.com
> Subject: RE: [Fedora-directory-users] Updating Consumer replica
> failsreferralto the master from the console.
>
>
>   
>> Date: Mon, 2 Feb 2009 13:26:18 -0800
>> From: "Chavez, James R."<james.chavez@sanmina-sci.com>
>>     
>
>   
>> Hi Rich,
>> Thank you for your previous response..The answer was actually embedded
>>     
>
>   
>> within your statement I believe.
>>
>> "This is a problem in general with some older clients that do not
know
>>     
>
>   
>> how to properly follow LDAPv3 referrals"
>>
>> I used the mozldap ldapmodify tool and it worked to update entries 
>> that I point at the consumer.  I would have never guessed the openldap
>>     
>
>   
>> tool would not follow LDAPv3 referrals. Maybe a switch I missed or
>>     
> something.
>   
>> Thanks again for your suggestion.
>>     
>
> The automatic referral chasing code in OpenLDAP''s command line
tools was
> deprecated years ago. It''s a security vulnerability: most of the
time it
> will hand your username and plaintext password to any arbitrary server
> without any warning.
>
> Referrals are a gross flaw in the design of LDAP and should not be used.
>
> Distributed servers should use chaining to hide this detail from
> clients. 
> Clients are not in any position to know whether or to what degree to
> trust the referred server, or what authentication domain or credentials
> are relevant on the referred server. Only the server admin knows these
> details; putting these decisions at the client is wrong.
>
>

On Tuesday 03 February 2009 20:56, Chavez, James R. wrote:
>
> And since you posted let me ask you this..Is it possible to extend the
> FDS schema to include the yast.schema extension that OpenLDAP contains
> in the SUSE OpenLDAP package. I am looking for the
"susegrouptemplate"
> object class and such.


You can add your own schema to fds,  but they are in a different format IIRC 
from the .schema''s included with openldap.

Have a look in /etc/dirsrv/schema (for system wide schema changes on any NEW 
dbs created) and in

/etc/dirsrv/slapd-INSTANCE/schema (for that instances schema files)

I haven''t looked at a .schema file for some time now,  but I''m
pretty sure
about them not working out of the box with fds. /shrug.

Ryan

Howard Chu wrote:
>
>> Date: Mon, 2 Feb 2009 13:26:18 -0800
>> From: "Chavez, James R."<james.chavez@sanmina-sci.com>
>
>> Hi Rich,
>> Thank you for your previous response..The answer was actually 
>> embedded within your statement I believe.
>>
>> "This is a problem in general with some older clients that do not 
>> know how to properly follow LDAPv3 referrals"
>>
>> I used the mozldap ldapmodify tool and it worked to update entries 
>> that I point at the consumer.  I would have never guessed the 
>> openldap tool would not follow LDAPv3 referrals. Maybe a switch I
missed or something.
>> Thanks again for your suggestion.
>
> The automatic referral chasing code in OpenLDAP''s command line
tools
> was deprecated years ago. It''s a security vulnerability: most of
the
> time it will hand your username and plaintext password to any 
> arbitrary server without any warning.
>
> Referrals are a gross flaw in the design of LDAP and should not be 
> used. Distributed servers should use chaining to hide this detail from
> clients. Clients are not in any position to know whether or to what 
> degree to trust the referred server, or what authentication domain or 
> credentials are relevant on the referred server. Only the server admin
> knows these details; putting these decisions at the client is wrong.
>
+1
You can set up Fedora DS to chain on update with replication - see
http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate


Rich this goes towards exactly what I need. From reading this article it
seems I am going to need to put hub servers between the read only
consumers. Is that an accurate statement ?
Thanks for the link on the OpenLDAP migration as well.

James 

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the
addressee(s) named herein and may contain legally privileged and/or confidential
information. If you are not the intended recipient of this e-mail message, you
are hereby notified that any dissemination, distribution or copying of this
e-mail message, and any attachments thereto, is strictly prohibited.  If you
have received this e-mail message in error, please immediately notify the sender
and permanently delete the original and any copies of this email and any prints
thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT
INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic
Transactions Act or the applicability of any other law of similar substance and
effect, absent an express statement to the contrary hereinabove, this e-mail
message its contents, and any attachments hereto are not intended to represent
an offer or acceptance to enter into a contract and are not otherwise intended
to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
other person or entity.

Chavez, James R. wrote:
>  
>
> Howard Chu wrote:
>   
>>> Date: Mon, 2 Feb 2009 13:26:18 -0800
>>> From: "Chavez, James
R."<james.chavez@sanmina-sci.com>
>>>       
>>> Hi Rich,
>>> Thank you for your previous response..The answer was actually 
>>> embedded within your statement I believe.
>>>
>>> "This is a problem in general with some older clients that do
not
>>> know how to properly follow LDAPv3 referrals"
>>>
>>> I used the mozldap ldapmodify tool and it worked to update entries 
>>> that I point at the consumer.  I would have never guessed the 
>>> openldap tool would not follow LDAPv3 referrals. Maybe a switch I
>>>       
> missed or something.
>   
>>> Thanks again for your suggestion.
>>>       
>> The automatic referral chasing code in OpenLDAP''s command line
tools
>> was deprecated years ago. It''s a security vulnerability: most
of the
>> time it will hand your username and plaintext password to any 
>> arbitrary server without any warning.
>>
>> Referrals are a gross flaw in the design of LDAP and should not be 
>> used. Distributed servers should use chaining to hide this detail from
>>     
>
>   
>> clients. Clients are not in any position to know whether or to what 
>> degree to trust the referred server, or what authentication domain or 
>> credentials are relevant on the referred server. Only the server admin
>>     
>
>   
>> knows these details; putting these decisions at the client is wrong.
>>
>>     
> +1
> You can set up Fedora DS to chain on update with replication - see
> http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate
>
>
> Rich this goes towards exactly what I need. From reading this article it
> seems I am going to need to put hub servers between the read only
> consumers. Is that an accurate statement ?
>   
No, you don''t need to have hubs.  That document just shows what is 
possible.  You can have chain on update with as little as 1 master and 1 
read-only consumer.
> Thanks for the link on the OpenLDAP migration as well.
>
> James 
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use
by the addressee(s) named herein and may contain legally privileged and/or
confidential information. If you are not the intended recipient of this e-mail
message, you are hereby notified that any dissemination, distribution or copying
of this e-mail message, and any attachments thereto, is strictly prohibited.  If
you have received this e-mail message in error, please immediately notify the
sender and permanently delete the original and any copies of this email and any
prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT
INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic
Transactions Act or the applicability of any other law of similar substance and
effect, absent an express statement to the contrary hereinabove, this e-mail
message its contents, and any attachments hereto are not intended to represent
an offer or acceptance to enter into a contract and are not otherwise intended
to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
other person or entity.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>