Recursive ldap lookups

Fredrik Melander melander at dfn-cert.de
Mon Apr 27 18:02:06 CEST 2009 

Hi,
first of all thanks for the answer, and sorry that I haven't replied
earlier. Lots of reasons not really interesting for anybody and a bit of
good ol' laziness, of course ;)

>> Which ldapsearch tool are you talking about? OpenLDAP's command-line
>> tool ldapsearch does not have an option -C. Do you have several
>> implementations of ldapsearch on your system?

That's true, if you consider the latest version(s?) of ldapsearch. There
used to be a -C option for client-chasing referals. I'm not sure exactly
when or why this was taken out, but even after it was removed from the
documentation it lingered as an "undocumented feature" for while,
meaning you could use it if you happened to know about it. The guys here
at work also tells me that before it got removed completely it remained
in some broken kind of way, that is, you could still use the option, but
it wouldn't quite work. I've never seen this myself though.

By the way (looking now), where I sit, "man ldapsearch" gives me, among
other things:
-C     Chase referrals (anonymously)

This is OpenLDAP 2.3.37.


>>Are you talking about client-chasing of LDAPv3 referrals? Yes, you can

>>do it by processing the LDAP URLs returned in search continuations
>>yourself. You have to check the result type to be
>>ldap.RES_SEARCH_REFERENCE. You can then use module 'ldapurl' to parse
>>the referral URL in the result.

Yes, that's what I'm talking about. Since my question we've also decided
to do things this way, and parse the replies manually instead of trying
to make the server do anything for us.


>>Note that the concept of client-chasing referral chasing is seriously
>>broken since the LDAPv3 standard does not specify which credentials to
>>use when connecting to the server specified in the referral URL. My
>>web2ldap therefore raises a bind form to interactively ask the user >>what
>>to do in this case. So I'd rather recommend to configure your LDAP
>>server to chase the referral with well-defined credentials if it
>>supports chaining or however it's called in your LDAP server (which
>>one?).

That's some useful information. Our server is OpenLDAP. Not sure which
version right now, though.

Think I've got the hang of it now. I will simply check the type of the
reply manually and keep requesting around 'til I don't get another
reference. Thanks again!

Greetings,
Fredrik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5927 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20090427/fcb203bd/attachment.bin>

More information about the python-ldap mailing list