[Date Prev][Date Next]
RE: Using the referrals in (Open)LDAP?
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
>I just tried to find some documentation about openLDAP & referals, google
> on strike today. .-)
>Anyone knows of some good referrals-specific HOWTO-like stuff? (I'm reading
> relevant parts of the LDAP System Administration" right now, but apparently
> parts of the "refferals story" are vendor specific, so I'll stil lneed
> openLDAP specific too)
>In particular, I'm interested in the following stuff:
>1) Can referrals be added to directory like "normal" entries, or do I have
> them in slapd.conf?
Referrals are entries of objectclass "referral". There is a default referral
you can define in slapd.conf, which is used when the server receives a
request for a DN that is not served by any of its databases, but regular
referrals are stored as entries in a database.
>2) Who is chasing the referrals, client, or the server? If client, will the
> care of it, or do I have to implement the logic for refferals chasing in
By definition, a referral is information that a server returns to a client
telling the client to look somewhere else. The client must process it
explicitly. The OpenLDAP library can chase referrals automatically if you set
the appropriate option.
>3) Assuming I've done an authenticated bind to server A, and the data is on
> what needs to be done so that server B accepts me as "authenticated user"?
That is, do
> I need to configure the trust relationships in addition to defining the
> (and how)?
To have the library do the right thing in this case you need to write a
rebind function and tell the library to use it. Otherwise the library does no
authentication when processing referrals (i.e., they are chased anonymously).
Referrals are an ill-defined ill-supported wart in the LDAP protocol. It's
best to avoid them if you can. In particular, the spec provides zero guidance
on how to handle security issues. E.g., if you query server A using ldaps or
StartTLS, should you use the same level of security when talking to server B?
Should the client assume that the same username and password for server A is
valid on server B? If not, how does the client decide which user identity to
assert on server B? What if you performed a SASL bind, and server B doesn't
support the same SASL mechs as server A?
In OpenLDAP the way to avoid using referrals is to use back-ldap and address
these issues explicitly, by defining all the necessary knowledge information
in the back-ldap configuration and obviating the client from having to deal
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support