[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3526) Further referral chasing in chain overlay may use different authc/authz

To: openldap-its@OpenLDAP.org
Subject: (ITS#3526) Further referral chasing in chain overlay may use different authc/authz
From: ando@sys-net.it
Date: Sun, 30 Jan 2005 21:28:39 GMT

Full_Name: Pierangelo Masarati
Version: HEAD
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (81.72.89.40)
Submitted by: ando


The chain overlay may use rather sophisticated authentication/authorization
mechanisms to chase referrals returned by the original operation.

However, if the response to the chain overlay's operation contains further
referrals, those are automatically chased y the underlying library, because
back-ldap automatically sets LDAP_OPT_REFERRALS to on.  This results in
referrals being chased by means of the rebind procedure at the library level,
which makes the use of identity assertion and bind mechs other than simple
impossible.

I suggest the use of the LDAP_OPT_REFERRALS option be configurable in back-ldap;
that it is disabled in the chain overlay; and that, in case, further referrals
are explicitly chased by the overlay.  This may require to further imrove
back-ldap, so that multiple idasserts can be confgured, and the most appropriate
be selected based on the URI that is being chased.

p.

Prev by Date: Re: (ITS#3512) LDAP Sync Replication stops after single server failure
Next by Date: Re: (ITS#3524) libldap multiple select() without reinitializing FD_SETs
Index(es):
- Chronological
- Thread