Comment #2 on issue 1641 by bryan.weingarten: Required LDAP OPT_REFERRALS
option
http://code.google.com/p/reviewboard/issues/detail?id=1641
FAQ #13 from http://www.python-ldap.org/faq.shtml
Basically we require turning off "chasing referrels" for our ldap client to
work.
The line to turn off referrals just goes immediately after each
ldapo.initialize().
I'm sure many people would not require or want this, so it's best to add
this as an
option to "Disable referrals" in the LDAP settings. I don't know anything
about LDAP
either. LDAP in Review Board was not working for me and I had to
experiment with
python-ldap and a lot of googling to figure this out. Then when I looked
at Review
Board code, it was obvious that it was missing this one line of code. When
I added
it, Review Board was able to successfully authenticate for us.
Q: My script bound to MS Active Directory but a a search operation results
in an
exception ldap.OPERATIONS_ERROR with the diagnostic messages text "In order
to
perform this operation a successful bind must be completed on the
connection.".
What's happening here?
A: When searching from the domain level MS AD returns referrals (search
continuations) for some objects to indicate to the client where to look for
these
objects. Client-chasing of referrals is a broken concept since LDAPv3 does
not
specify which credentials to use when chasing the referral. Windows clients
are
supposed to simply use their Windows credentials but this does not work in
general
when chasing referrals received from and pointing to arbitrary LDAP servers.
Therefore per default libldap automatically chases the referrals internally
with an
anonymous access which fails with MS AD.
So best thing is to switch this behaviour off:
l = ldap.initialize('ldap://foobar')
l.set_option(ldap.OPT_REFERRALS,0)
--
You received this message because you are subscribed to the Google Groups
"reviewboard-issues" group.
To post to this group, send email to reviewboard-iss...@googlegroups.com.
To unsubscribe from this group, send email to
reviewboard-issues+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/reviewboard-issues?hl=en.
