[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5752) ldapadd/ldapmodify do not follow referrals

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5752) ldapadd/ldapmodify do not follow referrals
From: ando@sys-net.it
Date: Sun, 19 Oct 2008 18:17:49 GMT

That's by design.  Since following referrals non-anonymously is 
inherently unsafe, automatically chasing referrals implies allowing the 
user to either (a) acknowledge automatic chasing based on the referral's 
value, or (b) be prompted for the correct credentials.  I don't see too 
much difference between this and requiring the user to manually chase 
referrals.

The right solution to your problem consists in configuring your slapd 
with slapo-chain(5) in order to delegate referral chasing to the DSA. 
In that case, automatic chasing would be performed within a well-agreed 
authentication/authorization pattern, and the client wouldn't even know 
a referral was returned.

I'd consider this ITS closed, unless you intend to provide a patch that 
(optionally) implements (a) and (b) above.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Prev by Date: (ITS#5753) Command-line tools: Handling of -x and -D vs. -Y and -U
Next by Date: Re: (ITS#5751) undefined value in slapo-constraint with bad filter
Index(es):
- Chronological
- Thread