Brian Reichert wrote:
On Tue, Sep 12, 2017 at 01:00:25PM -0700, Ryan Tandy wrote:
On Tue, Sep 12, 2017 at 03:56:07PM -0400, Brian Reichert wrote:
Is this a supported option? Is it documented somewhere officially? I couldn't find it after a quick search...
According to http://www.openldap.org/its/?findid=7177 it is "deprecated and intentionally undocumented".
Helpful pointer, thanks!
If it's deprecated, what's the approved method of coercing ldapsearch to pursue referrals?
ldapsearch shouldn't pursue referrals. The directory server you're using should chain requests for you instead of ever returning referrals.
On Tue, Sep 12, 2017 at 10:07:29PM +0100, Howard Chu wrote:
Brian Reichert wrote:
On Tue, Sep 12, 2017 at 01:00:25PM -0700, Ryan Tandy wrote:
On Tue, Sep 12, 2017 at 03:56:07PM -0400, Brian Reichert wrote:
Is this a supported option? Is it documented somewhere officially? I couldn't find it after a quick search...
According to http://www.openldap.org/its/?findid=7177 it is "deprecated and intentionally undocumented".
Helpful pointer, thanks!
If it's deprecated, what's the approved method of coercing ldapsearch to pursue referrals?
ldapsearch shouldn't pursue referrals. The directory server you're using should chain requests for you instead of ever returning referrals.
Regrettably, the directory server, in this case, is Active Directory.
https://technet.microsoft.com/en-us/library/cc978014.aspx
Active Directory returns referrals in accordance with RFC 2251.
https://social.technet.microsoft.com/Forums/ie/en-US/41d26e7a-a65c-47fe-b818...
I don't see Microsoft changing their tune anytime soon. :/
I have to admit, this is the first I've heard of chaining a request.
This might a way out for me:
http://blog.heeresonline.com/2014/04/activedirectory-ldap-referrals-chasing/
In any event, it's clear that directory servers _can_ return referrals, and as such, it surprises me that there isn't a supported way for OpenLDAP's tool to honor such a configuration.
I presume this has been discussed to death on this list, but I couldn't find any historical threads on the topic. Can you provide some references?
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Brian Reichert wrote:
Regrettably, the directory server, in this case, is Active Directory. [..] Active Directory returns referrals in accordance with RFC 2251.
Note that referrals are not fully specified in the LDAPv3 RFCs. Especially there's no specification which authentication the client should use when chasing referrals.
AD returns referrals and it is assumed that the client uses the same authentication used when receiving the referral. But there's nothing in LDAPv3 really defining this specific behaviour.
Furthermore even when integrating various clients with MS AD I never had a use-case requiring to chase AD referrals. What's your use-case requiring client-side referral chasing?
Ciao, Michael.
On Wed, Sep 13, 2017 at 09:15:04AM +0200, Michael Str??der wrote:
Note that referrals are not fully specified in the LDAPv3 RFCs. Especially there's no specification which authentication the client should use when chasing referrals.
AD returns referrals and it is assumed that the client uses the same authentication used when receiving the referral. But there's nothing in LDAPv3 really defining this specific behaviour.
I've read up on the security questions surrounding assumptions about credentials, but when dealing with an AD farm, it is apparently necessary to follow referrals, using the original credentials.
Furthermore even when integrating various clients with MS AD I never had a use-case requiring to chase AD referrals. What's your use-case requiring client-side referral chasing?
From what I can glean from our codebase, we were trying to process
the retrieval of desktop policies, and issues were found if we didn't chase referrals. I'm trying to gather specifics on that issue, for clarity's sake.
Ciao, Michael.
openldap-technical@openldap.org
-
Brian Reichert -
Howard Chu -
Michael Ströder