[Date Prev][Date Next]
I was trying to find out why I was having so much trouble using
AuthLDAP in Apache when ldapsearch on the command line worked fine and
I tracked it down to OpenLDAP spitting the dummy while chasing
referrals. My immediate work around is to stop chasing referrals, but
that won't work in general. I have found out why the referral doesn't
work and what can be done to fix it (sometimes).
The general problem is that there is no way to do a non-anonymous bind
when chasing referrals. We could try authenticating with the
credentials from the first connection, but I would be unhappy as a user
if I supplied OpenLDAP with my username and password for server A
(which I trust) and it promptly transmitted that information to server
B (which I don't trust).
It isn't quite as bleak as that. I did notice that in my case, the
server was handing me a referral to itself. I started wondering about
reusing connections and found that there was already code to do this.
Pity it didn't work very well. First of all it couldn't match the port
number if the referral was to a server using a default port number.
Whoops. Secondly it matches servers by comparing their names and names
just aren't a suitable matching criterion because servers can have many
I've submitted ITS#3280 for the port number problem, which just leaves
matching the servers themselves.
I think the only way to do this properly is by IP address. You take the
name in the referral, turn it in to a list of IP addresses and see if
you already have a connection to any of those IP addresses. This works
at exactly the same level as matching port numbers. DNS names are
assigned for any number of administrative reasons and unfortunately
"keeping LDAP users happy" isn't normally one of them.
Does this make sense to people?
Wellington Unix Team
EDS (New Zealand) Limited
Phone +64 4 474 5732
Fax +64 4 474 5094