[Date Prev][Date Next] [Chronological] [Thread] [Top]

Can I bind to server with DN not on server ?




Is it possible to bind to an ldap server with a dn that is NOT in a naming context on that sever ?


For example I have 3 servers glued together with subordinate and superior referrals:
server A:
suffix "o=XYZ"
contains ou=SFO,o=XYZ
with subordinate referrals to servers B & C for ou=NYC,o=XYZ & ou=DCA,o=XYZ


server B:
suffix  "ou=NYC,o=XYZ"
superior referral to server A: referral ldap://serverA/
access to dn.children="ou=People,ou=NYC,o=XYZ"
   by dn.children="ou=People,ou=NYC,o=XYZ" write
   by dn.children="ou=People,ou=SFO,o=XYZ" write

server C:
suffix  "ou=DCA,o=XYZ"
superior referral to server A: referral ldap://serverA/
access to dn.children="ou=People,ou=DCA,o=XYZ"
   by dn.children="ou=People,ou=DCA,o=XYZ" write
   by dn.children="ou=People,ou=SFO,o=XYZ" write

Regardless of the bind method, and regardless of which server I bind to, I cannot seem to get the SFO people to see the entries on the other sites. Slapd does not seem to follow referrals when it trying to authenicate the user.

Is this even possible ? I can provide more details of course, but I have a sneaking suspicision that this is the intended behavior.

Is there a better approach ? I would prefer not to replicate the entire tree accross all sites if possible.

Thanks,
Tom

--
Tom Riddle
HighStreet Networks
www.highstreetnetworks.com