[Date Prev][Date Next] [Chronological] [Thread] [Top]

find_connection improvement

I was trying to find out why I was having so much trouble using AuthLDAP in Apache when ldapsearch on the command line worked fine and I tracked it down to OpenLDAP spitting the dummy while chasing referrals. My immediate work around is to stop chasing referrals, but that won't work in general. I have found out why the referral doesn't work and what can be done to fix it (sometimes).

The general problem is that there is no way to do a non-anonymous bind when chasing referrals. We could try authenticating with the credentials from the first connection, but I would be unhappy as a user if I supplied OpenLDAP with my username and password for server A (which I trust) and it promptly transmitted that information to server B (which I don't trust).

It isn't quite as bleak as that. I did notice that in my case, the server was handing me a referral to itself. I started wondering about reusing connections and found that there was already code to do this. Pity it didn't work very well. First of all it couldn't match the port number if the referral was to a server using a default port number. Whoops. Secondly it matches servers by comparing their names and names just aren't a suitable matching criterion because servers can have many names.

I've submitted ITS#3280 for the port number problem, which just leaves matching the servers themselves.

I think the only way to do this properly is by IP address. You take the name in the referral, turn it in to a list of IP addresses and see if you already have a connection to any of those IP addresses. This works at exactly the same level as matching port numbers. DNS names are assigned for any number of administrative reasons and unfortunately "keeping LDAP users happy" isn't normally one of them.

Does this make sense to people?

Lloyd Parkes

Wellington Unix Team
EDS (New Zealand) Limited
Phone +64 4 474 5732
Fax +64 4 474 5094