[Samba] samba + slave OpenLdap (read-only)

Charlie medievalist at gmail.com
Thu Jul 3 18:54:08 GMT 2008

On Thu, Jul 3, 2008 at 9:12 AM, Volker Lendecke
<Volker.Lendecke at sernet.de> wrote:
> Can you send sample code how this should be done. AFAIK the
> LDAP libs should take care of this. That's the whole point
> of having the rebind_proc stuff around.

I believe that the OpenLDAP libraries have been able to chase
referrals and failovers and deal with heavily paged search results for
many years now.   In the case of searching, programmers must use the
API correctly (in other words, don't ignore just it when the libs
return a "more results pending" flag) but in the case of referrals
LDAP_OPT_REFERRALS is by default set to LDAP_OPT_ON, so it should be
reasonably transparent to the programmer.  Authoritative information
should be easily available from the OpenLDAP.org site, so don't take
my word for it!

The most common problem I see with busted referrals is when someone
sets up a program (such as samba) to use the local replica's
rootdn/rootpw as defined in /etc/slapd.conf (which allows bypassing
ACLs and whatnot) but does not define that dn and password to have
appropriate access on the master server.  If the admindn that samba is
using does not have the ability to write the master slapd, it won't
matter if it has unrestricted access to the slave.


More information about the samba mailing list