Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for referral chasing enable and disable #405

Open
tilakbishtAVI opened this issue Dec 9, 2022 · 11 comments
Open

Support for referral chasing enable and disable #405

tilakbishtAVI opened this issue Dec 9, 2022 · 11 comments
Assignees
@cpuschma

Comments

@tilakbishtAVI
Copy link

Hi, I am unsure whether the current implementation has any flag to enable or disable referral chasing while searching records in the LDAP server.

Please help me with this.
@tilakbishtAVI
Copy link
Author

Hi Team,

Any update on this? Working on a critical part of our project and want to understand this feature in go-ldap @zerok @samuel @jefferai @johnweldon

@cpuschma
Copy link
Member

cpuschma commented Dec 12, 2022
edited
Loading

Referrals are defined in the search result:

ldap/v3/search.go

Lines 317 to 325 in 0e43630

// SearchResult holds the server's response to a search request
type SearchResult struct {
// Entries are the returned entries
Entries []*Entry
// Referrals are the returned referrals
Referrals []string
// Controls are the returned controls
Controls []Control
}

Example:

conn, err := ldap.DialURL("ldap//XXX")
if err != nil {
	//
}
defer conn.Close()

searchResult, err := conn.Search(&ldap.SearchRequest{
	BaseDN:       baseDN,
	Scope:        ldap.ScopeWholeSubtree,
	DerefAliases: ldap.NeverDerefAliases,
	Filter:       fmt.Sprintf("(%s=%s)", attribute, ldap.EscapeFilter(value)),
	Attributes:   []string{"objectClass"},
})
if err != nil {
	//
}

fmt.Println(searchResult.Referrals)

@tilakbishtAVI
Copy link
Author

tilakbishtAVI commented Dec 19, 2022
edited
Loading

Hi @cpuschma This code will give me the referral list but it won't be searching for the given user in the referrals. Our requirement is that if the user is not found in the given DN then the LDAP server should automatically search in the referrals if there are any on the basis of a flag.

Below are the equivalent in ldapsearch commands:

  1. This won't search in referrals
    ldapsearch -vvv -h <LDAP_SERVER> -p <PORT> -D <ADMIN_DN> -W -b <BASE_DN>

  2. This will search in referrals too, -C flag is used to tell the LDAP server that we want it to search in referrals too
    ldapsearch -vvv -C -h <LDAP_SERVER> -p <PORT> -D <ADMIN_DN> -W -b <BASE_DN>

@tilakbishtAVI
Copy link
Author

Hi @cpuschma did you get a change to look into the above query?

@ram-parameswaran
Copy link

@tilakbishtAVI would approving PR 376 fix the functionality you are looking for?

@akshay-ware-druva
Copy link

I believe go-ldap doesnt support searching in the referral URLs. It just returns Referrals in the SearchResult and its client responsibility to connect to those referrals (binding, searching, etc). @cpuschma is that right?

There is this method python ldap supports - connect.set_option(ldap.OPT_REFERRALS, 0), @cpuschma I am looking for somehting equivalent of python ldap set_option method is there such option in go-ldap ?

@cpuschma cpuschma self-assigned this Oct 31, 2023
@cpuschma
Copy link
Member

I have a lot to do at the moment, but I will see if I can implement transactions as well as this feature as an optional function this weekend.

@appu333
Copy link

appu333 commented Oct 31, 2023
edited
Loading

I'd like to disable referral chasing in order to authenticate users using LDAP. @cpuschma, is it safe to assume that referral chasing is disabled by default in this client library & there's no need for explicit disabling, even though this option is currently unavailable in this library

@akshay-ware-druva
Copy link

I'd like to disable referral chasing in order to authenticate users using LDAP. @cpuschma, is it safe to assume that referral chasing is disabled by default in this client library & there's no need for explicit disabling, even though this option is currently unavailable in this library

I also want to know if referral chasing is enabled or disabled by default ?

@cpuschma
Copy link
Member

cpuschma commented Nov 1, 2023

It doesn't exist yet, but to preserve backwards compatibility it will be disabled by default.

@JesseCoretta
Copy link

Below are the equivalent in ldapsearch commands:

  1. This won't search in referrals
    ldapsearch -vvv -h <LDAP_SERVER> -p <PORT> -D <ADMIN_DN> -W -b <BASE_DN>
  2. This will search in referrals too, -C flag is used to tell the LDAP server that we want it to search in referrals too
    ldapsearch -vvv -C -h <LDAP_SERVER> -p <PORT> -D <ADMIN_DN> -W -b <BASE_DN>

Just want to chime in on a compatibility note.

OpenLDAP's client referral flag is OBSOLETE, per a few comments here. This is probably why -C is not listed in ldapsearch --help output.

In this case, it might be advisable for the author to rewrite number 2 to avoid use of -C and provide for a non-obsolete use-case for the go-ldap devs to reference instead.

One way is simply editing ldap.conf (whether the system copy or the user copy, whichever applies):

  REFERRALS <on/true/yes/off/false/no>
    Specifies if the client should automatically follow referrals returned by LDAP servers.
    The default is on.  Note that the command line tools ldapsearch(1) &co always override
    this option.

... FWIW, not sure if that comment in the ldap.conf manpage needs to be updated by the maintainers of OpenLDAP (if the "override" is referring to the now-obsoleted -C option), with another option like -e ... to control chaining/referral preferences.

😃

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cpuschma cpuschma

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@cpuschma @appu333 @tilakbishtAVI @JesseCoretta @ram-parameswaran @akshay-ware-druva