Hi, this is a partly duplicate of ITS 6463: I think it's better to split these 2 items into 2 separate ITS.

This ITS only describes the behaviour of OpenLDAP using referrals generated by DNSSRV; just ldap (no ldaps) is used.

You stated that not returning DNs in DNSSRV "conforms to RFC4511". This seems to be OK. Nevertheless these returned URLs are used in the chaining code.

This means that the chained search always searches with base "" (root). I don't think that this the right behavior.

I debugged the code several hours but couldn't find a solution. What I could see:

• dnssrv_back_referrals just puts server names into the referral structure

("ref")

• the functions called afterwards - esp. ldap_chain_op - parse this

structure "ref" for server names AND DNs (search bases)

I'm sorry, my knowledge of the OpenLDAP code is not deep enough to propose a solution. But I think that this should be fixed: Chained Searches with "" as search base in a distributed environment can't really work: problems like

• some servers don't support this kind of search
• loop detection
• access control

are there.

Hi. I don't have time to work at this right now, but I think the solution would be to modify slapo-chain(5) so that when a referral's DN is "" and the DN in the original request is not "", to use that DN instead. The original request DN can be found in op->o_req_dn.

p.