[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to make binding on downward referral possible.

> Is  there any way to  make  binding follow the referral  in the case of
> downward referral ?
> In upward referral it works fine.(Ie slapd.conf entry of referral)
> But how I can make it with downward referral . My requirement is after
> serchng the entry,client
> should bind to the corresponding server and not to the parent server .
> I posted one mail on last week with subject:Bind Problem with downward
> referrals. It seems because of my poor english
> I have't got any response.

Your question doesn't appear very clear, and I fear not because of poor
English.  First of all, bind is supposed to fail with invalidCredentials
(49) if a referral would be returned.  I'm not sure I understand what you
mean by downward/upward referral; I mean: I do not understand how
following one would differ from follwing the other.

Anyway, in general following referrals is something clients have to deal
with, e.g. by parsing the [host][:port] out of the URI, contacting it, and
reworking the request according to the DN and other info contained in the

If you want OpenLDAP clients to do this for you, you need to use the -C
option, which is deprecated (automatic referral chasing in general is a
bad thing, unless one knows what he's doing).  However, OpenLDAP clients
do that anonymously, as they cannot infer enough information from their
configuration, from the command line options and from the contents of the
referral, about how to safely and effectively rebind.

If you know how your client should rebind, I suggest you write your own
tool, or modify OpenLDAP's, to work according to your needs.  Otherwise,
if you want the server to do that for you, i.e. no referral gets back to
the client, but the server directly chases the referral, you need to use
the slapo-chain(5) overlay (OpenLDAP 2.3 and above).  In that case, if you
look at the idassert directive of the underlying slapd-ldap(5), you can
also define very effective rebind strategies.

That tool is not so easy to use and configure; I suggest you read very
carefully the documentation you've been pointed to, and you play with the
related tests (test007, test018, test032) and the configuration they use
before you try to setup your own system.


Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it