Luke Howard lukeh at padl.com
Mon Sep 21 18:11:13 EDT 2009

> I don't know about OpenLDAP, but Mozilla libldap does not  
> automatically
> chase referrals.  Also, it's the DS that has to be multi-master,  
> no?  In
> any case, I think it's simpler to just say that in the LDAP case you
> assume that the server is smart enough to ensure replication and
> atomicity.  (Note that LDAP does provide for some degree of  
> atomicity.)

Right. Chasing referrals with authentication requires you to provide a  
rebind callback. I'm not sure whether the default is to chase them  
anonymously or not (in OpenLDAP I expect this can be set in  
ldap.conf), but that's pretty irrelevant to a KDC which will likely  
authenticate to the LDAP server.

-- Luke

More information about the krbdev mailing list