[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Where is the '-C' option to 'ldapsearch' documented?
On Tue, Sep 12, 2017 at 10:07:29PM +0100, Howard Chu wrote:
> Brian Reichert wrote:
> >On Tue, Sep 12, 2017 at 01:00:25PM -0700, Ryan Tandy wrote:
> >>On Tue, Sep 12, 2017 at 03:56:07PM -0400, Brian Reichert wrote:
> >>>Is this a supported option? Is it documented somewhere officially?
> >>>I couldn't find it after a quick search...
> >>
> >>According to http://www.openldap.org/its/?findid=7177 it is "deprecated
> >>and intentionally undocumented".
> >
> >Helpful pointer, thanks!
> >
> >If it's deprecated, what's the approved method of coercing ldapsearch
> >to pursue referrals?
> >
> ldapsearch shouldn't pursue referrals. The directory server you're using
> should chain requests for you instead of ever returning referrals.
Regrettably, the directory server, in this case, is Active Directory.
https://technet.microsoft.com/en-us/library/cc978014.aspx
Active Directory returns referrals in accordance with RFC 2251.
https://social.technet.microsoft.com/Forums/ie/en-US/41d26e7a-a65c-47fe-b818-8ed3c17b7b6f/ldap-referrals-in-active-directory?forum=winserverDS
I don't see Microsoft changing their tune anytime soon. :/
I have to admit, this is the first I've heard of chaining a request.
This might a way out for me:
http://blog.heeresonline.com/2014/04/activedirectory-ldap-referrals-chasing/
In any event, it's clear that directory servers _can_ return
referrals, and as such, it surprises me that there isn't a supported
way for OpenLDAP's tool to honor such a configuration.
I presume this has been discussed to death on this list, but I
couldn't find any historical threads on the topic. Can you provide
some references?
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
>
--
Brian Reichert <reichert@numachi.com>
BSD admin/developer at large