[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to make binding on downward referral possible.

Pierangelo Masarati wrote:

Is  there any way to  make  binding follow the referral  in the case of
downward referral ?
In upward referral it works fine.(Ie slapd.conf entry of referral)
But how I can make it with downward referral . My requirement is after
serchng the entry,client
should bind to the corresponding server and not to the parent server .

I posted one mail on last week with subject:Bind Problem with downward
referrals. It seems because of my poor english
I have't got any response.

Your question doesn't appear very clear, and I fear not because of poor English. First of all, bind is supposed to fail with invalidCredentials (49) if a referral would be returned. I'm not sure I understand what you mean by downward/upward referral; I mean: I do not understand how following one would differ from follwing the other.

Anyway, in general following referrals is something clients have to deal
with, e.g. by parsing the [host][:port] out of the URI, contacting it, and
reworking the request according to the DN and other info contained in the

If you want OpenLDAP clients to do this for you, you need to use the -C
option, which is deprecated (automatic referral chasing in general is a
bad thing, unless one knows what he's doing).  However, OpenLDAP clients
do that anonymously, as they cannot infer enough information from their
configuration, from the command line options and from the contents of the
referral, about how to safely and effectively rebind.

If you know how your client should rebind, I suggest you write your own
tool, or modify OpenLDAP's, to work according to your needs.  Otherwise,
if you want the server to do that for you, i.e. no referral gets back to
the client, but the server directly chases the referral, you need to use
the slapo-chain(5) overlay (OpenLDAP 2.3 and above).  In that case, if you
look at the idassert directive of the underlying slapd-ldap(5), you can
also define very effective rebind strategies.

That tool is not so easy to use and configure; I suggest you read very
carefully the documentation you've been pointed to, and you play with the
related tests (test007, test018, test032) and the configuration they use
before you try to setup your own system.

Thanks a lot for the information.
For more clarity on my mail these are my indented meaning of terms:
Upward referral : The referral which uses referral directive in slapd.conf
Downward referral: The referral which uses objectClass: referral and ref: attribute from the
In my tests I was not getting invalidCredentials (49) with upward referral bind . But I was getting this
reply (invalidCredentials) in the case of downward referral bind with default settings in Fedora Linux