[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to make binding on downward referral possible.

At 11:13 PM 6/13/2006, Sandeep A.S wrote:
>Pierangelo Masarati wrote:
>>>Is  there any way to  make  binding follow the referral  in the case of
>>>downward referral ?
>>>In upward referral it works fine.(Ie slapd.conf entry of referral)
>>>But how I can make it with downward referral . My requirement is after
>>>serchng the entry,client
>>>should bind to the corresponding server and not to the parent server .
>>>I posted one mail on last week with subject:Bind Problem with downward
>>>referrals. It seems because of my poor english
>>>I have't got any response.
>>Your question doesn't appear very clear, and I fear not because of poor
>>English.  First of all, bind is supposed to fail with invalidCredentials
>>(49) if a referral would be returned.  I'm not sure I understand what you
>>mean by downward/upward referral; I mean: I do not understand how
>>following one would differ from follwing the other.
>>Anyway, in general following referrals is something clients have to deal
>>with, e.g. by parsing the [host][:port] out of the URI, contacting it, and
>>reworking the request according to the DN and other info contained in the
>>If you want OpenLDAP clients to do this for you, you need to use the -C
>>option, which is deprecated (automatic referral chasing in general is a
>>bad thing, unless one knows what he's doing).  However, OpenLDAP clients
>>do that anonymously, as they cannot infer enough information from their
>>configuration, from the command line options and from the contents of the
>>referral, about how to safely and effectively rebind.
>>If you know how your client should rebind, I suggest you write your own
>>tool, or modify OpenLDAP's, to work according to your needs.  Otherwise,
>>if you want the server to do that for you, i.e. no referral gets back to
>>the client, but the server directly chases the referral, you need to use
>>the slapo-chain(5) overlay (OpenLDAP 2.3 and above).  In that case, if you
>>look at the idassert directive of the underlying slapd-ldap(5), you can
>>also define very effective rebind strategies.
>>That tool is not so easy to use and configure; I suggest you read very
>>carefully the documentation you've been pointed to, and you play with the
>>related tests (test007, test018, test032) and the configuration they use
>>before you try to setup your own system.
>   Thanks a lot for the information.
>   For more clarity on my mail  these  are my indented meaning of  terms:
>   Upward referral : The referral which uses  referral directive in slapd.conf
>   Downward referral: The referral which uses   objectClass: referral and ref: attribute from the
>   database.
>    In my tests I was not getting invalidCredentials (49)  with upward referral bind . But I was getting this
>    reply (invalidCredentials) in the case of downward referral bind with default settings in Fedora Linux
>    systems.

Sounds like you are using an old version of OpenLDAP Software.