LDAP search failed
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Jul 8 06:17:43 CEST 2015
> On 7 Jul 2015, at 18:13, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
>>
>> On 7 Jul 2015, at 12:10, Michael Ströder <michael at stroeder.com> wrote:
>>
>> Brendan Kearney wrote:
>>> On 07/07/2015 10:03 AM, Michael Ströder wrote:
>>>> Hatim CHIKHI wrote:
>>>>> I found the solution for the ldap slow search here:
>>>>> http://lists.freeradius.org/pipermail/freeradius-users/2013-January/064566.html
>>>>>
>>>>>
>>>>> There is just an option in the ldap configuration of freeradius that must
>>>>> be modified:
>>>>>
>>>>> ldap {
>>>>> ...
>>>>> chase_referrals = no
>>>>> }
>>>> I'd vote for this to be the default. Automagically chasing referrals is
>>>> useless in almost any case, especially because it's a broken concept. At least
>>>> I never had a LDAP deployment where this was safe to use - during the last 15+
>>>> years.
>>>
>>> in larger envirionments, where multiple domains are in play, referrals would
>>> need to be chased. I work in such an environment with AD. the parent domain
>>> to the domain my ID is in, has a two-way forest level trust with the parent
>>> domain of a partner domain.
>> I know this very well. But what to do in this case is proprietary MS stuff.
>>
>> The problem is that nothing in LDAPv3 standard documents says that client-side
>> referral chasing should re-use the same bind identity possibly with same
>> client credentials when chasing a referral. In case of simple bind or
>> SASL/PLAIN it's even considered a security issue.
>
> Yes, I agree it is a security issue. The current behaviour was inherited from rlm_ldap v1.
>
>> So it's up to the client developers to let the admin define a referral policy
>> regarding bind (or interactively ask the user in UI clients).
>>
>> => as you can see in so many discussions on mailing lists, forums etc.
>> client-side referral chasing causes many more issues than it solves.
>
> There should be a knob to determine the source of the credentials used when chasing referrals.
Added use_referral_credentials as an option in v3.1.x.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150708/134d7b5e/attachment.sig>
More information about the Freeradius-Users
mailing list