Recursive ldap lookups
Michael Ströder
michael at stroeder.com
Thu Apr 2 13:57:07 CEST 2009
Fredrik Melander wrote:
> I was wondering if/how I can make recursive lookups in my ldap-tree
> (corresponding to the -C option of ldapsearch),
Which ldapsearch tool are you talking about? OpenLDAP's command-line
tool ldapsearch does not have an option -C. Do you have several
implementations of ldapsearch on your system?
> i.e. my ldap-server doesn't have the information I'm asking for, but
> happens to know which other ldap searver that has it, and thus
> forwards my request to that server.
Are you talking about client-chasing of LDAPv3 referrals? Yes, you can
do it by processing the LDAP URLs returned in search continuations
yourself. You have to check the result type to be
ldap.RES_SEARCH_REFERENCE. You can then use module 'ldapurl' to parse
the referral URL in the result.
Note that the concept of client-chasing referral chasing is seriously
broken since the LDAPv3 standard does not specify which credentials to
use when connecting to the server specified in the referral URL. My
web2ldap therefore raises a bind form to interactively ask the user what
to do in this case. So I'd rather recommend to configure your LDAP
server to chase the referral with well-defined credentials if it
supports chaining or however it's called in your LDAP server (which one?).
Also note that there are some security implications if you allow your
users to maintain referral entries on your LDAP server (buzzword: user
self-service).
Ciao, Michael.
More information about the python-ldap
mailing list