Menu
▾
▴
Re: Recursive ldap lookups
|
From: Michael S. <mi...@st...> - 2009-04-02 11:57:28
|
Fredrik Melander wrote: > I was wondering if/how I can make recursive lookups in my ldap-tree > (corresponding to the -C option of ldapsearch), Which ldapsearch tool are you talking about? OpenLDAP's command-line tool ldapsearch does not have an option -C. Do you have several implementations of ldapsearch on your system? > i.e. my ldap-server doesn't have the information I'm asking for, but > happens to know which other ldap searver that has it, and thus > forwards my request to that server. Are you talking about client-chasing of LDAPv3 referrals? Yes, you can do it by processing the LDAP URLs returned in search continuations yourself. You have to check the result type to be ldap.RES_SEARCH_REFERENCE. You can then use module 'ldapurl' to parse the referral URL in the result. Note that the concept of client-chasing referral chasing is seriously broken since the LDAPv3 standard does not specify which credentials to use when connecting to the server specified in the referral URL. My web2ldap therefore raises a bind form to interactively ask the user what to do in this case. So I'd rather recommend to configure your LDAP server to chase the referral with well-defined credentials if it supports chaining or however it's called in your LDAP server (which one?). Also note that there are some security implications if you allow your users to maintain referral entries on your LDAP server (buzzword: user self-service). Ciao, Michael. |
