[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3526) Further referral chasing in chain overlay may use different authc/authz

Full_Name: Pierangelo Masarati
Version: HEAD
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (
Submitted by: ando

The chain overlay may use rather sophisticated authentication/authorization
mechanisms to chase referrals returned by the original operation.

However, if the response to the chain overlay's operation contains further
referrals, those are automatically chased y the underlying library, because
back-ldap automatically sets LDAP_OPT_REFERRALS to on.  This results in
referrals being chased by means of the rebind procedure at the library level,
which makes the use of identity assertion and bind mechs other than simple

I suggest the use of the LDAP_OPT_REFERRALS option be configurable in back-ldap;
that it is disabled in the chain overlay; and that, in case, further referrals
are explicitly chased by the overlay.  This may require to further imrove
back-ldap, so that multiple idasserts can be confgured, and the most appropriate
be selected based on the URI that is being chased.