Re: Referrals and Chasing Them

[Stig Venaas <Stig.Venaas@uninett.no>]

On Fri, Nov 30, 2001 at 06:36:29PM +0100, Julio Sánchez Fernández wrote:
> Stig Venaas <Stig@OpenLDAP.org> writes:
> 
> > So that is why my callback was never called (using HEAD)? Can anyone
> > confirm this? I suppose I should dig into the source myself, but if
> > anyone knows...
> 
> I have rechecked and it is still there, look for ldap_set_rebind_proc
> in include/ldap.h.

Yes, I wrote some code that registered a callback, but I never managed
to actually get a callback. So when I read your mail, I started to wonder
if the chasing code didn't use it.

> But it is currently undocumented.  As a matter of fact there is some
> commented-out documentation that does not seem to match the code.

Yes, and there's also a 3rd parameter (void *) for passing data to the
callback handler. This is quite useful. Someone (for instance me) should
update the man page. I was also wondering why it wasn't in the API draft.

> > Is this something we don't want to support? I under-
> > stand that it might be fragile, why is it dangerous? 
> 
> Because you need to make sure that you will not be giving reusable
> credentials to untrusted parties.
> 
> Even in the presence of user-writable directories.  Just imagine I
> could create a referral in your directory so that you, using the root
> dn chased it.
> 
> ldap_set_rebind_proc will let you do this, but you have to get it
> right.
> 
> With some authentication methods you will just get a failure if you
> get it wrong.  With others, you just gave away your credentials...

Right. So just reusing the credentials is bad. But when using the call-
back, the application knows what server one is about to access, and has
to do a new bind and decide for itself what authentication mechanism
and what credentials to use. If a callback is not defined, we should only
hase referrals on anonymous binds I think. And this is how I thought it
worked now.

Stig