Hi,
this patch add a rebind proc which uses the same credentials used for the primary server to authenticate to the second server when doing referral chasing.
There are two important things to keep in mind: - as already mentioned we use the same credentials for both connections, i.e. if TLS is used on the first connection, it will be used un the second too. If GSSAPI is use for the first server it will be used for the second server with the same realm/KDC/keytab settings. If we want different credentials and authentication schemes for different server we should address this in a separate patch. - everything is synchronous, let me repeat: synchronous. From 'man ldap_set_rebind_proc': "The rebind function must use a synchronous bind method."
I have tested this patch against an OpenLDAP server with GSSAPI and simple bind with and without TLS.
This patch should fix ticket #495.
bye, Sumit
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/26/2010 12:02 PM, Sumit Bose wrote:
Hi,
this patch add a rebind proc which uses the same credentials used for the primary server to authenticate to the second server when doing referral chasing.
There are two important things to keep in mind:
- as already mentioned we use the same credentials for both connections, i.e. if TLS is used on the first connection, it will be used un the second too. If GSSAPI is use for the first server it will be used for the second server with the same realm/KDC/keytab settings. If we want different credentials and authentication schemes for different server we should address this in a separate patch.
- everything is synchronous, let me repeat: synchronous. From 'man ldap_set_rebind_proc': "The rebind function must use a synchronous bind method."
I have tested this patch against an OpenLDAP server with GSSAPI and simple bind with and without TLS.
This patch should fix ticket #495.
Nothing we can do to avoid a synchronous bind here. This is the best we can do.
Ack.
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/26/2010 01:57 PM, Stephen Gallagher wrote:
On 10/26/2010 12:02 PM, Sumit Bose wrote:
Hi,
this patch add a rebind proc which uses the same credentials used for the primary server to authenticate to the second server when doing referral chasing.
There are two important things to keep in mind:
- as already mentioned we use the same credentials for both connections, i.e. if TLS is used on the first connection, it will be used un the second too. If GSSAPI is use for the first server it will be used for the second server with the same realm/KDC/keytab settings. If we want different credentials and authentication schemes for different server we should address this in a separate patch.
- everything is synchronous, let me repeat: synchronous. From 'man ldap_set_rebind_proc': "The rebind function must use a synchronous bind method."
I have tested this patch against an OpenLDAP server with GSSAPI and simple bind with and without TLS.
This patch should fix ticket #495.
Nothing we can do to avoid a synchronous bind here. This is the best we can do.
Ack.
Pushed to master.
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/
sssd-devel@lists.fedorahosted.org