[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Where is the '-C' option to 'ldapsearch' documented?



On Tue, Sep 12, 2017 at 10:07:29PM +0100, Howard Chu wrote:
> Brian Reichert wrote:
> >On Tue, Sep 12, 2017 at 01:00:25PM -0700, Ryan Tandy wrote:
> >>On Tue, Sep 12, 2017 at 03:56:07PM -0400, Brian Reichert wrote:
> >>>Is this a supported option?  Is it documented somewhere officially?
> >>>I couldn't find it after a quick search...
> >>
> >>According to http://www.openldap.org/its/?findid=7177 it is "deprecated
> >>and intentionally undocumented".
> >
> >Helpful pointer, thanks!
> >
> >If it's deprecated, what's the approved method of coercing ldapsearch
> >to pursue referrals?
> >
> ldapsearch shouldn't pursue referrals. The directory server you're using 
> should chain requests for you instead of ever returning referrals.

Regrettably, the directory server, in this case, is Active Directory.

  https://technet.microsoft.com/en-us/library/cc978014.aspx

  Active Directory returns referrals in accordance with RFC 2251.

  https://social.technet.microsoft.com/Forums/ie/en-US/41d26e7a-a65c-47fe-b818-8ed3c17b7b6f/ldap-referrals-in-active-directory?forum=winserverDS

I don't see Microsoft changing their tune anytime soon. :/

I have to admit, this is the first I've heard of chaining a request.

This might a way out for me:

  http://blog.heeresonline.com/2014/04/activedirectory-ldap-referrals-chasing/

In any event, it's clear that directory servers _can_ return
referrals, and as such, it surprises me that there isn't a supported
way for OpenLDAP's tool to honor such a configuration.

I presume this has been discussed to death on this list, but I
couldn't find any historical threads on the topic.  Can you provide
some references?


> 
> -- 
>   -- Howard Chu
>   CTO, Symas Corp.           http://www.symas.com
>   Director, Highland Sun     http://highlandsun.com/hyc/
>   Chief Architect, OpenLDAP  http://www.openldap.org/project/
> 

-- 
Brian Reichert				<reichert@numachi.com>
BSD admin/developer at large