find_connection improvement

["Parkes, Lloyd" <Lloyd.Parkes@eds.com>]

I was trying to find out why I was having so much trouble using 
AuthLDAP in Apache when ldapsearch on the command line worked fine and 
I tracked it down to OpenLDAP spitting the dummy while chasing 
referrals. My immediate work around is to stop chasing referrals, but 
that won't work in general. I have found out why the referral doesn't 
work and what can be done to fix it (sometimes).

The general problem is that there is no way to do a non-anonymous bind 
when chasing referrals. We could try authenticating with the 
credentials from the first connection, but I would be unhappy as a user 
if I supplied OpenLDAP with my username and password for server A 
(which I trust) and it promptly transmitted that information to server 
B (which I don't trust).

It isn't quite as bleak as that. I did notice that in my case, the 
server was handing me a referral to itself. I started wondering about 
reusing connections and found that there was already code to do this. 
Pity it didn't work very well. First of all it couldn't match the port 
number if the referral was to a server using a default port number. 
Whoops. Secondly it matches servers by comparing their names and names 
just aren't a suitable matching criterion because servers can have many 
names.

I've submitted ITS#3280 for the port number problem, which just leaves 
matching the servers themselves.

I think the only way to do this properly is by IP address. You take the 
name in the referral, turn it in to a list of IP addresses and see if 
you already have a connection to any of those IP addresses. This works 
at exactly the same level as matching port numbers. DNS names are 
assigned for any number of administrative reasons and unfortunately 
"keeping LDAP users happy" isn't normally one of them.

Does this make sense to people?

Thanks,
Lloyd Parkes

Wellington Unix Team
EDS (New Zealand) Limited
Phone +64 4 474 5732
Fax +64 4 474 5094