[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Using the referrals in (Open)LDAP?



>-----Original Message-----
>From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
denis.havlik@t-mobile.at
>
>Morning everyone
>
>I just tried to find some documentation about openLDAP & referals, google
must be
> on strike today. .-)
>Anyone knows of some good referrals-specific HOWTO-like stuff? (I'm reading
the
> relevant parts of the LDAP System Administration" right now, but apparently
some
> parts of the "refferals story" are vendor specific, so I'll stil lneed
something
> openLDAP specific too)

>In particular, I'm interested in the following stuff:

>1) Can referrals be added to directory like "normal" entries, or do I have
to define
> them in slapd.conf?

Referrals are entries of objectclass "referral". There is a default referral
you can define in slapd.conf, which is used when the server receives a
request for a DN that is not served by any of its databases, but regular
referrals are stored as entries in a database.

>2) Who is chasing the referrals, client, or the server? If client, will the
library take
> care of it, or do I have to implement the logic for refferals chasing in
the clients?

By definition, a referral is information that a server returns to a client
telling the client to look somewhere else. The client must process it
explicitly. The OpenLDAP library can chase referrals automatically if you set
the appropriate option.

>3) Assuming I've done an authenticated bind to server A, and the data is on
server B,
> what needs to be done so that server B accepts me as "authenticated user"?
That is, do
> I need to configure the trust relationships in addition to defining the
referrals
> (and how)?

To have the library do the right thing in this case you need to write a
rebind function and tell the library to use it. Otherwise the library does no
authentication when processing referrals (i.e., they are chased anonymously).

Referrals are an ill-defined ill-supported wart in the LDAP protocol. It's
best to avoid them if you can. In particular, the spec provides zero guidance
on how to handle security issues. E.g., if you query server A using ldaps or
StartTLS, should you use the same level of security when talking to server B?
Should the client assume that the same username and password for server A is
valid on server B? If not, how does the client decide which user identity to
assert on server B? What if you performed a SASL bind, and server B doesn't
support the same SASL mechs as server A?

In OpenLDAP the way to avoid using referrals is to use back-ldap and address
these issues explicitly, by defining all the necessary knowledge information
in the back-ldap configuration and obviating the client from having to deal
with it.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support