directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <>
Subject Re: Last needed feature for teh API : referral handling
Date Sat, 12 Nov 2016 17:41:12 GMT

Le 12/11/16 à 13:00, Stefan Seelmann a écrit :
> On 11/12/2016 10:31 AM, Emmanuel Lécharny wrote:
>> Hi guys,
>> there is one last feature that is critical for the API, it's teh
>> referral handling. Basically, we need to be able to automatically send a
>> new request when we receive a Referal response. It's not that complex,
>> we just need to pen a new onnection and send the request.
>> There are a few things to take care of, naturally :
>> - we should not end up hoping from referal to referal indefinitively. A
>> limit has to be set
>> - we must detect cycles (but that can be done using the above limit).
>> - we need to distinguish between a referal we must follow from a referal
>> we must treat as a value. Typically, the second form might be available
>> for the user to edit it.
> I think what is missing is what already Radovan mentioned [1]: different
> connection parameter. For example: For the read-only LDAP slave one
> browses without authentication and uses no encryption. But when
> modifying an entry the referral to the LDAP master requires StartTLS and
> GSSAPI authentication. Such a scenario requires user interaction.

Indeed. AFAICT, there is nothing specific in any RFC about the 'follow'
option, except that we implicitely reuse the same credentials, which is
clearly a limitation.

Now, we have two options here :
- we let the user take care of the credentials, and that means 'follow'
is not an option.
- we add some configuration in the conection to let the API creating a
connection using distinguished credentials based on the targetted serv

IMO, the second option, while ideal, would add some increased
complexity. I would really favor the first solution atm, at least for 1.0

Emmanuel Lecharny

View raw message