[python3-ldap] R: What's the best way to deal with continuationreferrals?
python3ldap
python3ldap at gmail.com
Sat Nov 1 20:35:32 CET 2014
Hello Michael, David,
with the auto_referral=True parameter in the connection object
python3-ldap let you automatically follow referrals in result code
only You must specify a list of "trusted" ldap server in the Server
object. for each referral server you can specify if you want send
authentication data or try only an anonymous bind. This kind of
referral is in the result message and can be returned for every
operation. It means that the server is not able to perform the
operation requested and it suggest another server that should be able
to. The other server can again return a referral and so on. The RFCs
state that the client must avoid loop in referrals and allow a maximum
of 10 "hops". This is honored by python3-ldap.
What is still missing in python3-ldap is the "continuation
references" that can be returned in a search operation as a
searchResponse. I should follow the same approach (specify a list of
server with auth or anonymous bind) but the problem here is that you
can have many references to different servers, so I'm not sure if this
is the right way to perform the search, because the search operation
could be very long.
Bye,
Giovanni
2014-11-01 13:29 GMT+01:00 Michael Ströder <michael at stroeder.com>:
> Python3-ldap wrote:
>> I've set up an infrastructure for testing different LDAP servers, I think I
>> should be able to include automatic continuation referral resolution in
>> one of the next releases of python3-ldap.
>
> Note that in general LDAPv3 referrals are a broken concept anyway and not
> used. Especially since there's no standard defining e.g. which authentication
> to use when following a referral.
>
> So IMO it's ok at the API level to just return the referral LDAP URLs and let
> the LDAP client application deal with it because the app has more knowledge
> about the context.
>
> With MS AD I wildly guess that "the concept" was to let the client simply
> re-use the Windows logon identity. But even with MS AD you won't need chasing
> referrals. Everybody who thinks so should have a closer look what's really
> referenced by the referrals.
>
> In my web2ldap I simply present an input form to the user interactively asking
> for the authc information to using when chasing the referral. BTW: This
> functionality was implemented for an academic approach ~14 years ago. Chasing
> referrals has never been required since then. Referrals e.g. returned for
> write requests should also be handled by the LDAP server with chaining.
>
> Ciao, Michael.
>
More information about the python3-ldap
mailing list