Overview#

Dereference Policy is an element of a Search Request that specifies how the server should handle Alias entries that may be encountered during search processing.

The act of dereferencing an alias includes recursively dereferencing aliases that refer to aliases.

Servers MUST detect looping while dereferencing aliases in order to prevent denial-of-service attacks of this nature. If a loop is detected, then a LDAP Result Code of LDAP_LOOP_DETECT will typically be returned to the DUA.

Possible Values#

• neverDerefAliases (0) - Do not dereference aliases in searching or in locating the base object of the Search.
• derefInSearching (1) -
  • While searching subordinates of the base object, dereference any alias within the search scope.
  • Dereferenced objects become the vertices of further search scopes where the Search operation is also applied.
  • If the search scope is wholeSubtree, the Search continues in the subtree(s) of any dereferenced object.
  • If the search scope is singleLevel, the search is applied to any dereferenced objects and is not applied to their subordinates.
  • Servers SHOULD eliminate duplicate entries that arise due to alias dereferencing while searching.
• derefFindingBaseObj (2) - Dereference aliases in locating the base object of the Search, but not when searching subordinates of the base object.
• derefAlways (3) - Dereference aliases both in searching and in locating the base object of the Search.

Bind Request#

During a Bind Request where the server attempts to locate the FDN object, it SHALL NOT perform alias dereferencing.

Modify Request#

During a Modify Request where the server attempts to locate the FDN object, it SHALL NOT perform alias dereferencing.

More Information#

There might be more information for this subject on one of the following:

• Alias
• Best Practices For LDAP Naming Attributes
• Glossary Of LDAP And Directory Terminology
• SearchRequest