Is there a way to configure OpenLdap client software to globally disable referrals? Is there any side effect to doing so?
I'm being bitten by an Operations Error when querying an AD server and its been traced down to the default behavior of automatically tracing down referrals in an anonymous fashion.
I'd like to limit having to alter numerous other ldap aware applications that are all using ldap_search_ext_s. I could probably alter the ldap_initialize function source (or some other location) to automatically perform a
ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF)
but I'd rather not if I don't need to. I've tried a --disable-referrals in the configure command, but it didn't seem to affect my results.
Brian
Brian Foddy wrote:
but I'd rather not if I don't need to. I've tried a --disable-referrals in the configure command, but it didn't seem to affect my results.
Where did you find that option documented? Software seldom honor undocumented options; rarely undocumented options behaves the way one expects. This is so undocumented that it doesn't even exist, that's why it's ignored. Since referrals are part of LDAP, instead of entirely disabling them, you should try something like --do-not-always-follow-referrals-when-contacting-AD, or --disable-following-referrals-that-wont-succeed. You won't find any mention of them, of course, because they're undocumented.
However, in ldap.conf(5) there's a well documented option (very hard to find, since it's called, guess what, REFERRALS) that might be of help (not with OpenLDAP tools, though, nor with other clients that explicitly set the behavior with respect to referrals).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-software@openldap.org
-
Brian Foddy -
Pierangelo Masarati