[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to make binding on downward referral possible.

To: sandeep@netcontinuum.com
Subject: Re: How to make binding on downward referral possible.
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 14 Jun 2006 07:44:54 -0700
Cc: ando@sys-net.it, OpenLDAP Software List <openldap-software@OpenLDAP.org>
In-reply-to: <448FA8F7.5080008@netcontinuum.com>
References: <448E631B.2050901@netcontinuum.com> <43700.131.175.154.56.1150210367.squirrel@131.175.154.56> <448FA8F7.5080008@netcontinuum.com>

At 11:13 PM 6/13/2006, Sandeep A.S wrote:
>Pierangelo Masarati wrote:
>
>>>Is  there any way to  make  binding follow the referral  in the case of
>>>downward referral ?
>>>In upward referral it works fine.(Ie slapd.conf entry of referral)
>>>But how I can make it with downward referral . My requirement is after
>>>serchng the entry,client
>>>should bind to the corresponding server and not to the parent server .
>>>
>>>I posted one mail on last week with subject:Bind Problem with downward
>>>referrals. It seems because of my poor english
>>>I have't got any response.
>>>   
>>
>>Your question doesn't appear very clear, and I fear not because of poor
>>English.  First of all, bind is supposed to fail with invalidCredentials
>>(49) if a referral would be returned.  I'm not sure I understand what you
>>mean by downward/upward referral; I mean: I do not understand how
>>following one would differ from follwing the other.
>>
>>Anyway, in general following referrals is something clients have to deal
>>with, e.g. by parsing the [host][:port] out of the URI, contacting it, and
>>reworking the request according to the DN and other info contained in the
>>referral.
>>
>>If you want OpenLDAP clients to do this for you, you need to use the -C
>>option, which is deprecated (automatic referral chasing in general is a
>>bad thing, unless one knows what he's doing).  However, OpenLDAP clients
>>do that anonymously, as they cannot infer enough information from their
>>configuration, from the command line options and from the contents of the
>>referral, about how to safely and effectively rebind.
>>
>>If you know how your client should rebind, I suggest you write your own
>>tool, or modify OpenLDAP's, to work according to your needs.  Otherwise,
>>if you want the server to do that for you, i.e. no referral gets back to
>>the client, but the server directly chases the referral, you need to use
>>the slapo-chain(5) overlay (OpenLDAP 2.3 and above).  In that case, if you
>>look at the idassert directive of the underlying slapd-ldap(5), you can
>>also define very effective rebind strategies.
>>
>>That tool is not so easy to use and configure; I suggest you read very
>>carefully the documentation you've been pointed to, and you play with the
>>related tests (test007, test018, test032) and the configuration they use
>>before you try to setup your own system.
>>
>> 
>   Thanks a lot for the information.
>   For more clarity on my mail  these  are my indented meaning of  terms:
>   Upward referral : The referral which uses  referral directive in slapd.conf
>   Downward referral: The referral which uses   objectClass: referral and ref: attribute from the
>   database.
>    In my tests I was not getting invalidCredentials (49)  with upward referral bind . But I was getting this
>    reply (invalidCredentials) in the case of downward referral bind with default settings in Fedora Linux
>    systems.
>   
>-Sandeep

Sounds like you are using an old version of OpenLDAP Software.

Kurt

References:
- How to make binding on downward referral possible.
  - From: "Sandeep A.S" <sandeep@netcontinuum.com>
- Re: How to make binding on downward referral possible.
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: How to make binding on downward referral possible.
  - From: "Sandeep A.S" <sandeep@netcontinuum.com>

Prev by Date: Re: component matching in 2.3.*
Next by Date: Re: Bind dn connection
Index(es):
- Chronological
- Thread