That makes a lot more sense, thanks.
From: Kurt Zeilenga [mailto:kurt@OpenLDAP.org]
Sent: Tuesday, July 17, 2007 5:19 PM
To: Paul Blondé
Subject: Re: How do I tell ldapsearch to authenticate to the referred to
LDAPserver when chasing a referral?
On Jul 17, 2007, at 2:37 PM, Paul Blondé wrote:
This directory protocol that so many people are using to
provide information throughout and between their networks has no
perform authenticated queries across servers?
LDAP is specified as a client/server protocol. When a server returns a
referral to another server, it's completely up to the client to
if and how to chase it, including whether to authenticate and how. A
client which passes the user's password to a server just because it got
a referral to it, well, would be quite naive.
While it certainly possible to construct a client which authenticates to
the referred to server some how when chasing a referral, ldapsearch(1),
being unsophisticated (by design) doesn't. It takes a lot of
to properly manage security contexts in a distributed environment....
(I note that -C is/was undocumented on purpose. I'm sure the reasons
can be found in numerous places in the archives.)