Softerra LDAP Administrator HelpShow AllHide All

LDAP Referrals

Referrals allow a directory tree to be partitioned and distributed between multiple LDAP servers, which means that LDAP servers may not store the entire DIT while still being capable of containing references to other LDAP servers that offer requested information instead. So, when you browse a directory, an LDAP server can refer you to another server by returning referrals. A referral is an entry with the referral objectClass, which contains at least one attribute named ref having an LDAP URL of the referred entry on another LDAP server as its value.

There are two known types of referrals. They are: Result referral (RR) and Search reference (SR). Result referral (RR) is always a part of a result message having the REFERRAL code, returned in response to any request sent to the server, while Search reference (SR) is returned as one in a sequence of messages being a response to nothing but a search request.

Referral Handling Modes

The way referrals are handled by LDAP Administrator is determined by a Referral handling mode, a setting that affects browsing behavior when a referral is encountered. These three modes available to user are the following:

  • None. This mode disables referral handling at all. This means that all the encountered referrals will be ignored and never displayed.

  • Opaque. If the server returns a referral while the current mode is used, the referral entry itself will not be displayed, but instead LDAP Administrator will insert sub-entries of the referral entry returned.

  • Manual. This mode is set by default for each profile. It provides for any received referrals to be displayed as a special kind of entries whose sub-entries can only be displayed after you expand them manually.

You can choose a referral mode while creating a profile or by using its LDAP Settings property page.

All modification requests sent to the server will follow referrals automatically if returned in response to such request regardless of a referral handling mode set by user.

Authentication While Following Referrals

When you decide to follow a referral, some LDAP servers may require user authentication. By default, LDAP Administrator will try selecting appropriate credentials automatically with the help of the Credentials Manager. In case no appropriate credentials for the server can be found, you will be offered to specify them manually. (Learn more about managing credentials).

However, if you do not want the application to look for the matching credentials automatically, you can disable the option so further every time a referral needing authentication retrieved, you'll need to specify appropriate credentials for access. To enable/disable the option responsible for LDAP Administrator automatically trying to match the credentials for referral rebinds, please do the following:

  1. Select a server profile or (if using the Manual mode for handling referrals) a referral entry you'd like to adjust the above option for.

  2. Open its properties by clicking Properties on the Standard toolbar and select the Credentials page.

  3. On this page, check or uncheck the Try matching the credentials required for referral rebind box.

If you opt for the Manual mode of handling referrals, you can also specify referral's credentials by using the referral entry's Credentials property page.

Editing Referrals (ManageDsaIT Control)

Sometimes you may want to edit referral entries as normal entries, e.g. in order to change the LDAP URL they refer to. This can be done via using the ManageDsaIT control. This control informs an LDAP server about your intention to manage referral objects as regular entries, allowing you to read and modify these entries.

To enable this control, please do the following:

  1. Select a server profile or (if using the Manual mode for handling referrals) a referral entry you'd like to adjust the control for.

  2. Click ManageDsaIt on the Server toolbar.

Your server may not support the ManageDsaIT control.

See Also