[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP Referrals

> On Behalf Of Neil Hunter

> Hi,
> Can someone point me to some information on how LDAP V3 referrals operate?
See RFC 2251 for the LDAP V3 spec, including referrals. You can find it any
number of places, including the doc/rfc subdirectory of the OpenLDAP source

> I'm looking at the V2 referral support in OpenLDAP at the moment,
> but it seems
> to have a few unexpected features and I'd like to know whether they will
> persist in V3.
> Specifically:
> 1. I've already posted about V2 referrals only being followed as part of a
> search and not add/modify operations. Does V3 allow for referrals
> as part of
> all operations?

> 2. If you set the base DN of a query to a subtree which *DOESN'T*
> contain a
> referral, the referral is *still* generated and the slave slapd still gets
> queried. I must admit this was not what I expected!

Not sure what you mean. Perhaps you should provide an example.
> 3. Is there support for the server to follow the referral on behalf of the
> client?

This is not defined in the V3 protocol. Obviously if the server is going to
contact a remote server on behalf of a client, the client never sees that a
referral took place. Since the LDAP protocol only describes client-server
interaction, this behavior is beyond the scope of the LDAP spec. With that
said, what you want is certainly possible. I wrote an LDAP proxy backend for
OpenLDAP that allows the server to query other servers. The patches for
1.2.x servers are available on my web site, and it is already integrated
into the 2.x beta. However, it isn't tied into slapd's referral processing
code. Doing this automatically is problematic with LDAP since the protocol
was never designed for server to server communication, and the question of
which credentials to use when contacting the remote server is undefined.

The proxy code I wrote uses the client's DN when binding with the remote
server, and may or may not use the client's password as well, depending on
whether or not the client attempted to bind to the proxy itself. This is
dicey at best, since the client's DN may not be meaningful on the remote
server... I suppose if a referral included authentication information in its
URL, it could be chased automatically without any worry, but that just moves
the problem - you then have to decide what authentication info to embed in
the referral.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc