The DSA can return to the DUA a "LDAP Referral" response for any LDAP Request that requires a response. The LDAP Result Code response of "10" and an appropriate set of LDAP URLs. All of the URLs in the response are equivalent in that using any one should yield the correct result. The DUA should select one to continue the operation.
A LDAP Referral may also be returned to clients as a result from a SearchRequest in a Search Result Reference.
If a DUA issues a request to an DSA with an invalid DN (the base of the DN does not exist in any suffix directive for the server) LDAP Result Code] response of "10" and an appropriate set of LDAP URLs.
This is the DSA's way of indicating to a DUA that it does not have a copy of a requested Entry (or, more precisely, that it does not hold the section of the DIT where that Entry would be, if in fact it exists) and giving the client a location that might hold the entry, which the client may use as the basis for an additional search. Ideally, referrals always reference a DSA that indeed holds the Entry, but this can not be guaranteed.
There is also the possibility for the referred-to DSA to generate yet another LDAP Referral, although it usually does not take long to discover that the Entry does not exist and to inform the DUA.
The referral field is defined by:
Referral ::= SEQUENCE OF LDAPURL (one or more URLs) LDAPURL ::= LDAPString /*The string is limited to characters permitted in URLs*/
The Referral ObjectClass is typically used when the base distinguished name of the operation is not in this directory, but the administrator has knowledge of another LDAP directory where it might be found. We have seen this described as an "external referral".