LDAP search failed
Brendan Kearney
bpk678 at gmail.com
Tue Jul 7 17:48:18 CEST 2015
On 07/07/2015 10:03 AM, Michael Ströder wrote:
> Hatim CHIKHI wrote:
>> I found the solution for the ldap slow search here:
>> http://lists.freeradius.org/pipermail/freeradius-users/2013-January/064566.html
>>
>> There is just an option in the ldap configuration of freeradius that must
>> be modified:
>>
>> ldap {
>> ...
>> chase_referrals = no
>> }
> I'd vote for this to be the default. Automagically chasing referrals is
> useless in almost any case, especially because it's a broken concept. At least
> I never had a LDAP deployment where this was safe to use - during the last 15+
> years.
>
> Ciao, Michael.
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
in larger envirionments, where multiple domains are in play, referrals
would need to be chased. I work in such an environment with AD. the
parent domain to the domain my ID is in, has a two-way forest level
trust with the parent domain of a partner domain. take the below example:
sub.acme.corp -> acme.corp <-> brandx.corp <- sub.brandx.corp
since my ID is in sub.acme.corp, i need to chase referrals (or walk the
tree, as it has been called) to get kerberos tickets for services hosted
in sub.brandx.corp (HTTP, etc).
while this is not an everyday, run-of-the-mill configuration, it is
found in the wild.
More information about the Freeradius-Users
mailing list