[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Where is the '-C' option to 'ldapsearch' documented?

To: Michael Str??der <michael@stroeder.com>
Subject: Re: Where is the '-C' option to 'ldapsearch' documented?
From: Brian Reichert <reichert@numachi.com>
Date: Wed, 13 Sep 2017 10:31:08 -0400
Cc: Brian Reichert <reichert@numachi.com>, openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <d07ddfb3-0ec5-fac5-1224-4c97c2f7a796@stroeder.com>
References: <20170912195607.GF24409@numachi.com> <20170912200025.2awbubwk442h5wwl@comet.nardis.ca> <20170912210110.GG24409@numachi.com> <WM!d10c366f45bb03bee41767ce0fe7c2fc1abd8195e1114966fed4de9715981b9a9ce55eb950368a76cb33252875b0797a!@mailstronghold-1.zmailcloud.com> <89432144-4228-5190-bec7-ca9903ff4bc3@symas.com> <20170912215149.GH24409@numachi.com> <d07ddfb3-0ec5-fac5-1224-4c97c2f7a796@stroeder.com>
User-agent: Mutt/1.5.9i

On Wed, Sep 13, 2017 at 09:15:04AM +0200, Michael Str??der wrote:
> Note that referrals are not fully specified in the LDAPv3 RFCs. 
> Especially there's no specification which authentication the 
> client should use when chasing referrals.
> 
> AD returns referrals and it is assumed that the client uses the 
> same authentication used when receiving the referral. But there's 
> nothing in LDAPv3 really defining this specific behaviour.

I've read up on the security questions surrounding assumptions about
credentials, but when dealing with an AD farm, it is apparently
necessary to follow referrals, using the original credentials.

> Furthermore even when integrating various clients with MS AD I 
> never had a use-case requiring to chase AD referrals. What's your 
> use-case requiring client-side referral chasing?

>From what I can glean from our codebase, we were trying to process
the retrieval of desktop policies, and issues were found if we
didn't chase referrals.  I'm trying to gather specifics on that
issue, for clarity's sake.

> 
> Ciao, Michael.
> 

-- 
Brian Reichert				<reichert@numachi.com>
BSD admin/developer at large

References:
- Where is the '-C' option to 'ldapsearch' documented?
  - From: Brian Reichert <reichert@numachi.com>
- Re: Where is the '-C' option to 'ldapsearch' documented?
  - From: Ryan Tandy <ryan@nardis.ca>
- Re: Where is the '-C' option to 'ldapsearch' documented?
  - From: Brian Reichert <reichert@numachi.com>
- Re: Where is the '-C' option to 'ldapsearch' documented?
  - From: Howard Chu <hyc@symas.com>
- Re: Where is the '-C' option to 'ldapsearch' documented?
  - From: Brian Reichert <reichert@numachi.com>
- Re: Where is the '-C' option to 'ldapsearch' documented?
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Using overlay rwm to rewrite search base depending on search filter
Next by Date: Import LDIF from old OpenLDAP Server
Index(es):
- Chronological
- Thread