Overview #

A LDAP Referral provides a reference to an alternate location in which an LDAP Request may be processed.

The DSA can return to the DUA a "referral" error response for any LDAP Request that requires a response. The LDAP Result Code response of "10" and an appropriate set of LDAP URLs. All of the URLs in the response are equivalent in that using any one should yield the correct result. The DUA should select one to continue the operation.

A LDAP Referral may also be returned to clients as a result from a SearchRequest in a Search Result Reference.

Generic Referrals #

In a partitioned directory, by definition, the entire directory is not always available on any one DSA.

If a DUA issues a request to an DSA with an invalid DN (the base of the DN does not exist in any suffix directive for the server) LDAP Result Code] response of "10" and an appropriate set of LDAP URLs.

This is the DSA's way of indicating to a DUA that it does not have a copy of a requested Entry (or, more precisely, that it does not hold the section of the DIT where that Entry would be, if in fact it exists) and giving the client a location that might hold the entry, which the client may use as the basis for an additional search. Ideally, referrals always reference a DSA that indeed holds the Entry, but this can not be guaranteed.

There is also the possibility for the referred-to DSA to generate yet another LDAP Referral, although it usually does not take long to discover that the Entry does not exist and to inform the DUA.

LDAP Referral Details #

A LDAP Server Implementations could contain both Superior Referral and Subordinate Referral entries.

Superior Referrals #

Superior Referrals point upward in the DIT toward the root. They tie the partitioned naming context to its parent. Typically Superior Referrals point to a different DIT than the DIT the request was originally presented.

Subordinate Referrals #

Subordinate Referrals point downward in the DIT to other partitions.

Referral ObjectClass #

Referrals may be explicitly defined in a DIT using the Referral ObjectClass. The Referral ObjectClass takes a single Ref attribute which must be an LDAP URL.

The Referral ObjectClass is typically used when the base distinguished name of the operation is not in this directory, but the administrator has knowledge of another LDAP directory where it might be found. We have seen this described as an "external referral".

More Information #

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-24) was last changed on 10-Dec-2014 17:23 by jim