On Wed, Sep 13, 2017 at 09:15:04AM +0200, Michael Str??der wrote:
Note that referrals are not fully specified in the LDAPv3 RFCs. Especially there's no specification which authentication the client should use when chasing referrals.
AD returns referrals and it is assumed that the client uses the same authentication used when receiving the referral. But there's nothing in LDAPv3 really defining this specific behaviour.
I've read up on the security questions surrounding assumptions about credentials, but when dealing with an AD farm, it is apparently necessary to follow referrals, using the original credentials.
Furthermore even when integrating various clients with MS AD I never had a use-case requiring to chase AD referrals. What's your use-case requiring client-side referral chasing?
From what I can glean from our codebase, we were trying to process
the retrieval of desktop policies, and issues were found if we didn't chase referrals. I'm trying to gather specifics on that issue, for clarity's sake.
Ciao, Michael.