RE: How do I tell ldapsearch to authenticate to the referred to LDAPserver when chasing a referral?

[Paul Blondé <jpb@entel.ca>]

That makes a lot more sense, thanks.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Paul Blondé


-----Original Message-----
From: Kurt Zeilenga [mailto:kurt@OpenLDAP.org] 
Sent: Tuesday, July 17, 2007 5:19 PM
To: Paul Blondé
Cc: openldap-software@OpenLDAP.org
Subject: Re: How do I tell ldapsearch to authenticate to the referred to
LDAPserver when chasing a referral?



On Jul 17, 2007, at 2:37 PM, Paul Blondé wrote:

> What?
>
> This directory protocol that so many people are using to  
> authenticate and
> provide information throughout and between their networks has no  
> way to
> perform authenticated queries across servers?

LDAP is specified as a client/server protocol.  When a server returns a
referral to another server, it's completely up to the client to  
determine
if and how to chase it, including whether to authenticate and how.  A
client which passes the user's password to a server just because it got
a referral to it, well, would be quite naive.

While it certainly possible to construct a client which authenticates to
the referred to server some how when chasing a referral, ldapsearch(1),
being unsophisticated (by design) doesn't.  It takes a lot of  
sophistication
to properly manage security contexts in a distributed environment....

(I note that -C is/was undocumented on purpose.   I'm sure the reasons
can be found in numerous places in the archives.)

-- Kurt