[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Referrals chased, but not using right creds

To: "Pierangelo Masarati" <ando@sys-net.it>
Subject: Re: Referrals chased, but not using right creds
From: "Jeremiah Martell" <inlovewithgod@gmail.com>
Date: Thu, 14 Sep 2006 16:13:39 -0400
Cc: "OpenLDAP Software List" <OpenLDAP-software@OpenLDAP.org>
Content-disposition: inline
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=q2hNBLQZjwDuTqK7JwbY1eJrbRQPF1BD+ylDD3nOG/TV86ikrOYGAhBEUJBxeKsgth51GPs3v1SiT+JbLCHVV83k23CaJI5GDrLqzeZVOT+OQtbCVnxPhk+GDoDTB0fzD3JMeUtOvl6/eNOQRKpT2P5QS+AvyZQp/lEhzg1HBaM=
In-reply-to: <4509B411.6080908@sys-net.it>
References: <233eb300609141051la750b5cyf5aaeba5891efe58@mail.gmail.com> <4509B411.6080908@sys-net.it>

Thanks for the answer.

I've modified my client with ldap_set_rebind_proc, and now it
successfully rebinds to the referred server.

After it binds successfully and does a search, my client goes into a
infinite loop.

Looking with ethereal it looks like the loop is of search, server
error, search, server error, etc. The server error I get each time is
this (courtesy of ethereal)...

Error Message: 0000202B: RefErr: DSID-12345678, data 0, 1 access
points\n\tref 1: 'my.server.example.com'\n
ERROR: Couldn't parse referral URL sequence header: Wrong type for that item
ERROR: Couldn't parse LDAP Controls: Wrong type for that item

Any ideas?

  Thanks,
- Jeremiah

On 9/14/06, Pierangelo Masarati <ando@sys-net.it> wrote:

Jeremiah Martell wrote:
> Hello,
>
> I'm seeing something strange (or perfectly normal) with openldap in
> regards to referrals.
>
> I set LDAP_OPT_REFERRALS to LDAP_OPT_ON, and LDAP_OPT_DEREF to
> LDAP_DEREF_ALWAYS. When I do a search openldap successfully chases
> down referrals, but when it binds to the referred server, it does so
> anonymously.
>
> Is this expected? Should I be able to say to use the same creds as the
> referring server? Is there something else I may be missing?

OpenLDAP clients, by design, rebinds anonymously when automatically
chase referrals.  If you want a different behavior you should write your
own client and use ldap_set_rebind_proc(3) to customize the way you want
bind to be propagated when chasing referrals.  A quick solution would be
to customize existing clients, e.g. ldapsearch(1).

The reason this is not automatically done has been discussed many times,
so I suggest you search the archives.  To make it short, it's insecure
to give away credentials that way, unless you know you can trust the URI
you are being referred to; and you may know only if you see it.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

References:
- Referrals chased, but not using right creds
  - From: "Jeremiah Martell" <inlovewithgod@gmail.com>
- Re: Referrals chased, but not using right creds
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: [OPENLDAP] Backup for bdb backend: db utils or slapcat?
Next by Date: Re: Referrals chased, but not using right creds
Index(es):
- Chronological
- Thread