The act of dereferencing an alias includes recursively dereferencing aliases that refer to aliases.
Servers MUST detect looping while dereferencing aliases in order to prevent denial-of-service attacks of this nature. If a loop is detected, then a LDAP Result Code of LDAP_LOOP_DETECT will typically be returned to the DUA.
- neverDerefAliases (0) - Do not dereference aliases in searching or in locating the base object of the Search.
- derefInSearching (1) -
- While searching subordinates of the base object, dereference any alias within the search scope.
- Dereferenced objects become the vertices of further search scopes where the Search operation is also applied.
- If the search scope is wholeSubtree, the Search continues in the subtree(s) of any dereferenced object.
- If the search scope is singleLevel, the search is applied to any dereferenced objects and is not applied to their subordinates.
- Servers SHOULD eliminate duplicate entries that arise due to alias dereferencing while searching.
- derefFindingBaseObj (2) - Dereference aliases in locating the base object of the Search, but not when searching subordinates of the base object.
- derefAlways (3) - Dereference aliases both in searching and in locating the base object of the Search.