On Tue, Sep 12, 2017 at 10:07:29PM +0100, Howard Chu wrote:
Brian Reichert wrote:
On Tue, Sep 12, 2017 at 01:00:25PM -0700, Ryan Tandy wrote:
On Tue, Sep 12, 2017 at 03:56:07PM -0400, Brian Reichert wrote:
Is this a supported option? Is it documented somewhere officially? I couldn't find it after a quick search...
According to http://www.openldap.org/its/?findid=7177 it is "deprecated and intentionally undocumented".
Helpful pointer, thanks!
If it's deprecated, what's the approved method of coercing ldapsearch to pursue referrals?
ldapsearch shouldn't pursue referrals. The directory server you're using should chain requests for you instead of ever returning referrals.
Regrettably, the directory server, in this case, is Active Directory.
https://technet.microsoft.com/en-us/library/cc978014.aspx
Active Directory returns referrals in accordance with RFC 2251.
https://social.technet.microsoft.com/Forums/ie/en-US/41d26e7a-a65c-47fe-b818...
I don't see Microsoft changing their tune anytime soon. :/
I have to admit, this is the first I've heard of chaining a request.
This might a way out for me:
http://blog.heeresonline.com/2014/04/activedirectory-ldap-referrals-chasing/
In any event, it's clear that directory servers _can_ return referrals, and as such, it surprises me that there isn't a supported way for OpenLDAP's tool to honor such a configuration.
I presume this has been discussed to death on this list, but I couldn't find any historical threads on the topic. Can you provide some references?
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/