Good day.

 

I’m an LDAP novice and am attempting to modify an LDAP client to accommodate an LDAP server environment that makes use of referrals.

 

I have installed openLDAP 2.4.44 on 2 RHEL 7.9 servers.


The initial entries in the tree on serverA contains :


# xxx.com
dn: dc=xxx,dc=com
description: xxx.com
dc: xxx
o: xxx.com
objectClass: top
objectClass: dcObject
objectClass: organization

# Users, xxx.com
dn: ou=Users,dc=xxx,dc=com
ou: Users
description: xxx Users
objectClass: organizationalUnit

# search reference
ref: ldap://serverB.xxx.com:389/dc=uk,dc=xxx,dc=com??sub

# mike, Users, xxx.com
dn: uid=mike,ou=Users,dc=xxx,dc=com
cn: mike
ou: Users
uid: mike
givenName: Mike
mail: mike@uk.xxx.com
objectClass: Person
objectClass: organizationalPerson
objectClass: inetOrgPerson



I believe the "ref" entry is known as a subordinate referral;

it was created by populating the tree from an LDIF file that contained the following:


dn: dc=uk,dc=xxx,dc=com
objectClass: referral
objectClass: extensibleObject
dc: uk
ref: ldap://serverB.xxx.com:389/dc=uk,dc=xxx,dc=com


The intent is to redirect any requests received by serverA that refer to the subtree uk.xxx.com to serverB.


The tree on serverB contains:


# xxx.com
dn: dc=xxx,dc=com
description: xxx.com
dc: xxx
o: xxx.com
objectClass: top
objectClass: dcObject
objectClass: organization

# uk.xxx.com
dn: dc=uk,dc=xxx,dc=com
dc: uk
o: uk.xxx.com
description: xxx Users in the UK
objectClass: dcObject
objectClass: organization

# mike, uk.xxx.com
dn: uid=mike,dc=uk,dc=xxx,dc=com
cn: mike
uid: mike
givenName: Mike
mail: mike@uk.xxx.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson


Now, if I perform a search on serverA specifying a base of uk.xxx.com, I get an RC=10 Referral result as expected:

[root@serverA ~]# ldapsearch -x  '(uid=mike)' -b dc=uk,dc=xxx,dc=com  -LL
version: 1

Referral (10)
Matched DN: dc=uk,dc=xxx,dc=com
Referral: ldap://serverB.xxx.com:389/dc=uk,dc=xxx,dc=com??sub

... and I can chase that referral using the -C option to retrieve the entry from serverB:

[root@Mike21 ~]# ldapsearch -x  '(uid=mike)' -b dc=uk,dc=ibm,dc=com  -LL -C
version: 1

dn: uid=mike,dc=uk,dc=xxx,dc=com
cn: mike
uid: mike
givenName: Mike
mail: mike@uk.xxx.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson

But, if I attempt a bind to serverA using the user that exists in serverB, I get an authentication failure:

[root@serverA ~]# ldapsearch -x -b 'dc=uk,dc=xxx,dc=com' -D uid=mike,dc=uk,dc=xxx,dc=com -w passw0rD
ldap_bind: Invalid credentials (49)

Now, I realise that the failure would be expected as the bind DN doesn't exist at serverA.
But I read that every request apart from unbind and abandon can result in a referral.
So why doesn't the bind follow the "ref" to serverB?
Is that possible and have I not configured my server correctly?

Ultimately, what I'd like to do in my client is something like:

    ld_user = ldap_init( "ldap://serverA:389/dc=uk,dc=xxx,dc=com" , 0 );
... followed by :
    err = ldap_simple_bind_s( ld_user, "uid=mike,dc=uk,dc=xxx,dc=com" , password);
... and have LDAP authenticate the given user against serverB based on the referral in serverA.

Is this sort of set up possible?

Many thanks for your advice,
Mike