Are LDAP referrals supported?

[mdurkovic]

Hi,

I have an AD multi-domain forest where I rely on LDAP referral search result such as the following:

# ldapsearch -H "ldap://███████.███████.███████.local" -s base -b "<SID=███████████████████████████████████>"
SASL/GSS-SPNEGO authentication started
SASL username: █████@███████.███████.LOCAL
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <<SID=███████████████████████████████████>> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 3
result: 10 Referral
text: 0000202B: RefErr: DSID-0310074A, data 0, 1 access points
        ref 1: '███████.local'

ref: ldap://███████.local/

# numResponses: 1

Trying the same search with bonsai returns empty list:

import asyncio
from pprint import pprint
from bonsai import LDAPClient, LDAPSearchScope

async def main():
    client = LDAPClient("ldap://███████.███████.███████.local")
    client.set_credentials("GSSAPI")
    client.set_ignore_referrals(False)
    client.set_server_chase_referrals(False)
    async with client.connect(is_async=True) as conn:
        res = await conn.search(
            base="<SID=███████████████████████████████████>",
            scope=LDAPSearchScope.BASE,
        )
        pprint(res)

if __name__ == "__main__":
    asyncio.run(main())

Search continuation references work as expected.

Is there anything I'm missing or are the LDAP referrals (result code 10) being ignored?

[mdurkovic]

Nevermind, I found my answer: https://github.com/noirello/bonsai/commit/561f0ccdd207b864a8723526c2010ab76e39b4b3

[noirello]

Hi, I'm confused a little. I'd expect that after setting set_ignore_referrals to False, the search result returns LDAPReference objects. I've never tested it with AD, but that's how it works with OpenLDAP and referral objectClasses.