The PSM support just mimics the existing MozLDAP behavior. It's worth noting that the existing behavior will typically break when chasing referrals: The hostname that's passed in persists until the LDAP* handle is closed and is used for all Connection attempts. If a referral is received which points to ldaps:// on a different host, the hostname will not match and the connection should fail. If the referral points to the same host (as is common on MSAD) then it will probably succeed.
To fix this problem the Connect callback should record a bit more info, to answer two questions:
1) whether it successfully connected once before - that will allow distinguishing referral chasing from the first successful connection.
2) whether the IP address of the current connection attempt matches the previous successful attempt - that will distinguish referrals to the same host from referrals to a different host.
Then when it's determined that this connect attempt is chasing a secure referral on a different server, it can just use the name provided in the callback argument list.
The PSM support just mimics the existing MozLDAP behavior. It's worth noting that the existing behavior will typically break when chasing referrals: The hostname that's passed in persists until the LDAP* handle is closed and is used for all Connection attempts. If a referral is received which points to ldaps:// on a different host, the hostname will not match and the connection should fail. If the referral points to the same host (as is common on MSAD) then it will probably succeed.
To fix this problem the Connect callback should record a bit more info, to answer two questions:
1) whether it successfully connected once before - that will allow distinguishing referral chasing from the first successful connection.
2) whether the IP address of the current connection attempt matches the previous successful attempt - that will distinguish referrals to the same host from referrals to a different host.
Then when it's determined that this connect attempt is chasing a secure referral on a different server, it can just use the name provided in the callback argument list.