Re: (ITS#4570) slapo-chain does not return an error when chasing a referral fails

[ando@sys-net.it]

> When the chain overlay encounters an error while chasing a referral it
> will
> return the chased referral to the client instead of the occured error.

This behavior is consistent with that of libldap, and I believe it is
desirable.  In fact, slapo-chain tries to chain operations when possible;
when it's not, the referral is returned to the client under the assumption
the client may know how to deal with referrals that couldn't be
automatically chased.  This is true, for example, in cases where a
referral needs to be chased with an identity that differs from that used
for the original request, and I guess this is your case: slapo-chain is
receiving an "inusufficientAccess" code.

Or maybe you need to use the "idassert" feature so that the identity your
client bound with is asserted while chasing the referral by means of the
proxyAuthz control (RFC4370); see slapd-ldap(5) for details.

If you need a different behavior, e.g. that no referrals ever get
returned, you may want to look into using the "chainingBehavior" control
<draft-sermersheim-ldap-chaining> (expired), which is implemented in
slapo-chain(5).  The code might be a little bit broken as it's never been
revitalized after the draft expired.

p.



Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------