Xu, Qiang (FXSGSC) wrote: > Michael wrote: >> Why do you want to enable referral chasing? > > I didn't want. But our printer provides the option to be enabled or > disabled, and the customer found it doesn't work in an ADS, which is > at the same time a DNS server.
And why did the customer want to have it enabled? >> Yes, that's the default behaviour of most LDAP client libs >> for automatic referral chasing. Obviously it's wrong. >> >> Letting the LDAP client chase referrals is a fundamentally >> broken concept in LDAPv3 anyway because there is no clear >> definition at all which credentials the client should use >> when chasing the referral. > > Yes, it seems in chasing the referral, the printer doesn't know which > credential to be used to bind to the referred servers (therefore the > binding was anonymous in the trace). Hence, the error indicates a > successful binding must be done beforehand. Yes, that's because AD does not allow searching for data for anonymous access. > But I can't explain the intermittent success in LDAP search. Is it > due to that sometimes, the DNS server can't find out the IP Address > of the host name used in the referral URI? I don't understand exactly what you mean here. When the client chases a referral the client trys to resolve the hostname in the referral LDAP URL. >> Speaking of AD as a LDAPv3 implementation with a certain >> profile or additional assumptions the client could use the >> same credentials he used to bind to the originating server. I >> think that's the way the AD developers thought about it in >> the light of domain trusts etc. But again that's not a valid >> assumption in general for a LDAP client application. >> >> In general the application has to be configured with a-priori >> knowledge how to bind to the referral's target. > > So, can I say that this referral is not recommended in LDAPv3 implementation? Short: Yes. Long: To get this right you have to provide some user interaction for asking the user to provide the right credentials when chasing the referral (obviously not suitable for a printer or similar non-interactive system) or implement a configurable look-up table of possible referral targets and the accompanying credentials. Most times this is not worth the effort. (So we're back asking the question why the customer enabled referral chasing.) Ciao, Michael. _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
