Re: Referrals and Chasing Them

[jsanchez@OpenLDAP.org (Julio Sánchez Fernández)]

Stig Venaas <Stig@OpenLDAP.org> writes:

> So that is why my callback was never called (using HEAD)? Can anyone
> confirm this? I suppose I should dig into the source myself, but if
> anyone knows...

I have rechecked and it is still there, look for ldap_set_rebind_proc
in include/ldap.h.

But it is currently undocumented.  As a matter of fact there is some
commented-out documentation that does not seem to match the code.

However, the call is there in libraries/libldap/request.c, notice that
if you do not provide a rebind proc, referrals will be chased using an
anonymous bind.

So it seems I was wrong.  That will teach me to check facts first.

> Is this something we don't want to support? I under-
> stand that it might be fragile, why is it dangerous? 

Because you need to make sure that you will not be giving reusable
credentials to untrusted parties.

Even in the presence of user-writable directories.  Just imagine I
could create a referral in your directory so that you, using the root
dn chased it.

ldap_set_rebind_proc will let you do this, but you have to get it
right.

With some authentication methods you will just get a failure if you
get it wrong.  With others, you just gave away your credentials...

Julio