On Tuesday 08 July 2008 20:00:56 Govind c wrote:
We have openldap version(-2.2.13-7.4E) installed as master and slave (on two different systems) with replication configured between them.
When we try to a ldapmodify on the slave it returns the following message
#ldapmodify -x -hlocalhost -p389 -v -D'cn=Directory Manager, o=del.com' -w dgtyrh -f a
ldap_initialize( ldap://localhost:389 ) replace CurrentVersion: 2.0.txt1 modifying entry "cn=options-server-tr,ou=App-test,o=del.com" modify complete ldap_modify: Referral (10) referrals:
ldap://100.115.23.156:389/cn=options-server-tr,ou=App-test,o=del.com
So, why don't you retry the modification against 100.115.23.156? Or, since you know which is the master, why don't you always run changes against the master?
However the changes are not reflected.
The fact that you got a referral back does indicate that no changes were made on the LDAP server you tried to run the modifications against.
Browsing the internet,I found that ldapmodify doesn`t have the capability to chase referrals and but the openldap API allows to write clients that do the chasing.
Since ldapmodify is an administrative utility, the person using it is expected to be able to be in the position to determine the security impact of following the referral. Since ldapmodify is not in such a position, it intentionally will not follow referrals.
Is this statement valid for this version of openldap too?
Since it is quite possible for an LDAP server to return referrals to LDAP servers that are outside the security control of the administrator of the first LDAP server (see e.g. back-dnssrv), no, nothing has changed.
Is chaining the other alernative for chasing referrals?
Well, the real question is why you think you need anything besides what you have. The OpenLDAP utilities do no chase referrals (except anonymously in the case of ldapsearch), but most other tools that you would need to have chase referrals (e.g. pam_ldap) do. Since I can't see why you would need the OpenLDAP utilities to chase referrals (apply logic at layer 8 instead), I don't see why you have a problem.
But, yes, an alternative means (for clients that don't have the ability to chase referrals, be it due to insufficient control available to the user or lack of automatic referral chasing), for ensuring that changes sent to a slave arrive at the master is the use of the chain overlay.