@@ -491,14 +491,15 @@ nsdb_open(const char *hostname, const unsigned short port, LDAP **ld,
}
/*
- * The FedFS protocol drafts do not specify how to handle LDAP
- * referrals. We probably don't want them, since our x.509 certs
- * will probably not be usable with a referred to LDAP server.
+ * To authenticate a referred-to NSDB node and handle our
+ * per-NSDB "follow referrals" setting, libnsdb wants
+ * to handle LDAP referrals explicitly.
*/
rc = ldap_set_option(tmp, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
if (rc != LDAP_OPT_SUCCESS) {
- xlog(D_GENERAL, "%s: Failed to disable referrals: %s",
- __func__, ldap_err2string(rc));
+ xlog(D_GENERAL, "%s: Failed to disable referrals "
+ "for NSDB '%s': %s", __func__,
+ hostname, ldap_err2string(rc));
goto out_ldap_err;
}
It wasn't always the case, but these days, the FedFS drafts _do_ have something to say about how to handle LDAP referrals when performing an NSDB request. NSDB clients must authenticate every NSDB they encounter. Thus an LDAP referral means the client has to consult its NSDB connection parameter database again for the referred-to NSDB node in order to authenticate it. The LDAP_OPT_REFERRALS option enables the LDAP library to handle LDAP referrals transparently to the caller. It's set to LDAP_OPT_ON by default. This means libnsdb would never see an LDAP referral. Since we need to make sure proper authentication occurs in this case, libnsdb must see LDAP referrals and deal with them. Thus, the LDAP_OPT_OFF setting is correct, but the reason in the comment for that setting is invalid. Our implementation also has a per-NSDB setting that allows an administrator to disable following LDAP referrals entirely. That's implemented by checking that setting when a referral occurs. This logic also requires that the LDAP library expose referrals to libnsdb. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> --- src/libnsdb/ldap.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-)