Re: Referrals chased, but not using right creds

[Pierangelo Masarati <ando@sys-net.it>]

Jeremiah Martell wrote:
> Hello,
>
> I'm seeing something strange (or perfectly normal) with openldap in
> regards to referrals.
>
> I set LDAP_OPT_REFERRALS to LDAP_OPT_ON, and LDAP_OPT_DEREF to
> LDAP_DEREF_ALWAYS. When I do a search openldap successfully chases
> down referrals, but when it binds to the referred server, it does so
> anonymously.
>
> Is this expected? Should I be able to say to use the same creds as the
> referring server? Is there something else I may be missing?

OpenLDAP clients, by design, rebinds anonymously when automatically 
chase referrals.  If you want a different behavior you should write your 
own client and use ldap_set_rebind_proc(3) to customize the way you want 
bind to be propagated when chasing referrals.  A quick solution would be 
to customize existing clients, e.g. ldapsearch(1).

The reason this is not automatically done has been discussed many times, 
so I suggest you search the archives.  To make it short, it's insecure 
to give away credentials that way, unless you know you can trust the URI 
you are being referred to; and you may know only if you see it.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------