RE: Double referral not handled properly (ITS#3361)

[ian@underpressuredivers.com]

OK, thanks. I can avoid having OpenLDAP trying to process referrals during
binds by having my ldo_rebind_proc() function return an error if it is
called during a bind.

The server that I am using, by the way, is the Windows port of OpenLDAP
server which is based off 2.1.29.

Ian

> -----Original Message-----
> From: Howard Chu [mailto:hyc@symas.com]
> 
> This trace shows that both the client library and server B are "being 
> stupid."
> 
> In general, a server should not return a referral for a Bind request, 
> because that does not in any way help accomplish the goal of such a 
> request. (I.e., presumably you send a Bind request to a server to 
> perform authentication *on that server*. Having it refer you to 
> another server leaves you still unauthenticated on that original 
> server.) I believe the current (2.2.17) slapd no longer returns 
> referrals for Bind requests.
> 
> The client library always issues a Bind to the target server when 
> chasing a referral. This happens before it looks at whatever request 
> is being referred - which in this case is itself a Bind request. 
> That's why you see two Bind requests in a row, followed by an Unbind - 
> that is the client library processing the referral returned from the 
> Bind request to server B.
> 
> Again, since it makes no sense to chase referrals for Bind requests, 
> probably the client should ignore them. Failing that, it should be 
> smart enough not to issue two redundant Binds in a row. But since this 
> isn't causing a critical failure anywhere, I don't see changing this 
> as a very high priority.