> Hi,
> this is a partly duplicate of ITS 6463: I think it's better to split
> these 2
> items into 2 separate ITS.
>
> This ITS only describes the behaviour of OpenLDAP using referrals
> generated by
> DNSSRV; just ldap (no ldaps) is used.
>
> You stated that not returning DNs in DNSSRV "conforms to RFC4511". This
> seems to
> be OK. Nevertheless these returned URLs are used in the chaining code.
>
> This means that the chained search always searches with base "" (root). I
> don't
> think that this the right behavior.
>
> I debugged the code several hours but couldn't find a solution. What I
> could
> see:
> - dnssrv_back_referrals just puts server names into the referral structure
> ("ref")
> - the functions called afterwards - esp. ldap_chain_op - parse this
> structure
> "ref" for server names AND DNs (search bases)
>
> I'm sorry, my knowledge of the OpenLDAP code is not deep enough to propose
> a
> solution. But I think that this should be fixed: Chained Searches with ""
> as
> search base in a distributed environment can't really work: problems like
> - some servers don't support this kind of search
> - loop detection
> - access control
> are there.
Hi. I don't have time to work at this right now, but I think the solution
would be to modify slapo-chain(5) so that when a referral's DN is "" and
the DN in the original request is not "", to use that DN instead. The
original request DN can be found in op->o_req_dn.
p.