On Jul 17, 2007, at 2:37 PM, Paul Blondé wrote:
What?
This directory protocol that so many people are using to authenticate and provide information throughout and between their networks has no way to perform authenticated queries across servers?
LDAP is specified as a client/server protocol. When a server returns a referral to another server, it's completely up to the client to determine if and how to chase it, including whether to authenticate and how. A client which passes the user's password to a server just because it got a referral to it, well, would be quite naive.
While it certainly possible to construct a client which authenticates to the referred to server some how when chasing a referral, ldapsearch(1), being unsophisticated (by design) doesn't. It takes a lot of sophistication to properly manage security contexts in a distributed environment....
(I note that -C is/was undocumented on purpose. I'm sure the reasons can be found in numerous places in the archives.)
-- Kurt