[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Referrals?



Generally this is a feature that true X.500 servers implement, not something
that slapd will do. The LDAP protocol doesn't have adequate means  to
unambiguously handle authentication to the referral target. Referral chasing
works unambiguously in X.500 because the server-to-server protocol (DSP)
accomodates both server credentials and the original client credentials in
the chained requests. LDAP's problem as far as authentication goes is that
there is more than one principal associated with a referred request, but the
protocol only allows specifying a single identity on a given connection, and
so your LDAP implementation is forced to arbitrarily choose which of several
available identities to use when authenticating to the referral target. Most
implementations punt and just bind anonymously to the referral target. If
you're happy with one particular policy, I suppose you can embed that policy
into the server as  well. I wrote an LDAP backend for slapd that is in the
2.0 alpha code that can be configured as a proxy. I originally wrote it as a
referral interceptor as well, which would do exactly what you asked for, but
that feature was dropped. It wasn't clear to me that it could be configured
satisfactorily, deciding which referrals to chase and which to just give
back to the client, what identity to bind with on the chased referral, and
where to get the password for binding, etc. All in all, it sounded like a
great idea at first but quickly became scary (from a security point of view)
as the details surfaced.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

>mikema@crt.com
> Hi All,
>
> 	Does anyone know if an LDAP server can handle a referral without
> sending back to the client.  For example if I do a search in an
> LDAP server
> and find a referral can the server be setup to forward your search to the
> appropriate referral path?  Or, does the client have to resubmit
> the request
> to the referred path?
>
> Thanks,
>
> > _______
> >
> > Mike Mazzolini
> > Bank Of America
> > mikema@crt.com
> >
> > - Whether you think you can or think you can't, you're right!
> >
> >
>