That's by design. Since following referrals non-anonymously is inherently unsafe, automatically chasing referrals implies allowing the user to either (a) acknowledge automatic chasing based on the referral's value, or (b) be prompted for the correct credentials. I don't see too much difference between this and requiring the user to manually chase referrals.

The right solution to your problem consists in configuring your slapd with slapo-chain(5) in order to delegate referral chasing to the DSA. In that case, automatic chasing would be performed within a well-agreed authentication/authorization pattern, and the client wouldn't even know a referral was returned.

I'd consider this ITS closed, unless you intend to provide a patch that (optionally) implements (a) and (b) above.

p.

Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------