What?

This directory protocol that so many people are using to authenticate and provide information throughout and between their networks has no way to perform authenticated queries across servers?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paul Blondé

-----Original Message----- From: openldap-software-bounces+jpb=entel.ca@openldap.org [mailto:openldap-software-bounces+jpb=entel.ca@openldap.org] On Behalf Of Kurt Zeilenga Sent: Tuesday, July 17, 2007 11:50 AM To: Comisario, Alejandro Cc: openldap-software@openldap.org Subject: Re: How do I tell ldapsearch to authenticate to the referred to LDAPserver when chasing a referral?

You cannot. ldapsearch(1) can only chase referrals anonymously.

On Jul 17, 2007, at 7:53 AM, Comisario, Alejandro wrote:

Hello everyone.

I have an OpenLDAP 2.3.30 running on Debian Etch Stable in a DMZ, managing external users for an application. But at the same time i want this openLDAP to comunicate when given for a specific DN with another directory service on my internal network. The connection between the two machines passing thru the firewall is correct.

The reference are: openLDAP machine : doldap.sc.com with domain dc=si,dc=com the other directory : adldap.adsc.com with domain dc=adsc,dc=com

I defined the referral like this: dn: ou=test,dc=adsc,dc=com objectClass: referral objectClass: extensibleObject dc: prueba ref: ldap://adldap.adsc.com/ou=test,dc=adsc,dc=com

So, when i query something like this (anonymous): ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x

I get this response: # extended LDIF # # LDAPv3 # base <ou=prueba,dc=adsc,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #

# search result search: 2 result: 10 Referral ref: ldap://adldap.adsc.com/ou=prueba,dc=adsc,dc=com??sub

# numResponses: 1

So, apparently the referral for that query is found, next i tell ldapsearch to follow it: ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x -C

The openLDAP try to follow the referral and get this response from the other service: # extended LDIF # # LDAPv3 # base <ou=prueba,dc=adsc,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #

# search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece

# numResponses: 1

So, How do I tell ldapsearch to authenticate to the referred to LDAP server when chasing a referral? Hope someone can helpme.

Regards.

.A l e j a n d r o.

That makes a lot more sense, thanks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paul Blondé

-----Original Message----- From: Kurt Zeilenga [mailto:kurt@OpenLDAP.org] Sent: Tuesday, July 17, 2007 5:19 PM To: Paul Blondé Cc: openldap-software@OpenLDAP.org Subject: Re: How do I tell ldapsearch to authenticate to the referred to LDAPserver when chasing a referral?

On Jul 17, 2007, at 2:37 PM, Paul Blondé wrote:

What?

This directory protocol that so many people are using to authenticate and provide information throughout and between their networks has no way to perform authenticated queries across servers?

LDAP is specified as a client/server protocol. When a server returns a referral to another server, it's completely up to the client to determine if and how to chase it, including whether to authenticate and how. A client which passes the user's password to a server just because it got a referral to it, well, would be quite naive.

While it certainly possible to construct a client which authenticates to the referred to server some how when chasing a referral, ldapsearch(1), being unsophisticated (by design) doesn't. It takes a lot of sophistication to properly manage security contexts in a distributed environment....

(I note that -C is/was undocumented on purpose. I'm sure the reasons can be found in numerous places in the archives.)

-- Kurt