Re: chasing referrals

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Wed, Nov 28, 2001 at 03:00:31PM +0000, John Berthels wrote:
> > Basically my thought was that the user would have to tell Net::LDAP
> > that they want to chase referrals by registering a sub which, given an
> > LDAP URL, would create the connection and do the auth.
> >
> > I have not thought much beyond that, so if anyone want to bounce a few
> > ideas, go ahead
> 
> I think the ability to pass in a sub to do the bind is a good idea.

Not just the bind, the connection too. This would allow the application
to do cacheing of the connections if it whished. I do not expect
Net::LDAP to cache connections from chasing referrals.

> Presumably one concern is that chasing a referral attempts a bind to
> another server, which involves presenting credentials, sometimes a
> cleartext password.

Right, but with this approach that is completely under the control of the application

> Two thoughts are:
> 
> - a referral chase could perform an anonymous bind (fail-safe as regards
> password leakage) using the same protocol version [not by default, but as
> an option]

We could have an option which would do this. It could be simply be done
by exporting a sub which does this and can be passed to Net::LDAP
to open the connection.

> - a facility could be provided to declare a list of 'trusted' or
> 'equivalent' servers. Referrals to these servers should replay the
> original credentials if possible (perhaps falling back to the
> user-supplied sub if that fails).

I do not like this idea at all. it means that Net::LDAP must remember
the credentials that a user binds with. It does not do that now, nor
di I really want it to.

Graham.

> Of course these could be accomplished with the 'sub' approach, but is
> either of the two bullets above useful behaviour?
> 
> regards,
> 
> jb
> 