LDAP search failed

Brendan Kearney bpk678 at gmail.com
Tue Jul 7 17:48:18 CEST 2015


On 07/07/2015 10:03 AM, Michael Ströder wrote:
> Hatim CHIKHI wrote:
>> I found the solution for the ldap slow search here:
>> http://lists.freeradius.org/pipermail/freeradius-users/2013-January/064566.html
>>
>> There is just an option in the ldap configuration of freeradius that must
>> be modified:
>>
>> ldap {
>>     ...
>>     chase_referrals = no
>> }
> I'd vote for this to be the default. Automagically chasing referrals is
> useless in almost any case, especially because it's a broken concept. At least
> I never had a LDAP deployment where this was safe to use - during the last 15+
> years.
>
> Ciao, Michael.
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
in larger envirionments, where multiple domains are in play, referrals 
would need to be chased.  I work in such an environment with AD.  the 
parent domain to the domain my ID is in, has a two-way forest level 
trust with the parent domain of a partner domain.  take the below example:

sub.acme.corp -> acme.corp <-> brandx.corp <- sub.brandx.corp

since my ID is in sub.acme.corp, i need to chase referrals (or walk the 
tree, as it has been called) to get kerberos tickets for services hosted 
in sub.brandx.corp (HTTP, etc).

while this is not an everyday, run-of-the-mill configuration, it is 
found in the wild.


More information about the Freeradius-Users mailing list