[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: referrals

To: Howard Chu <hyc@highlandsun.com>
Subject: RE: referrals
From: Igor Brezac <igor@ipass.net>
Date: Wed, 5 May 2004 14:57:01 -0400 (EDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <033a01c3dc59$caa7a3d0$1801a8c0@CELLO>
References: <033a01c3dc59$caa7a3d0$1801a8c0@CELLO>

On Fri, 16 Jan 2004, Howard Chu wrote:

> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Igor Brezac
>
> > Is it possible for a slave(replica) slapd server to chase referrals?
> > This was not possible in 2.1, but I was wondering if this can be done in
> > 2.2.  I would like for an ldap client to be able to send modify/add
> > queries to slave slapd servers which in turn update the master.
>
> Yes, if you build slapd with back-ldap you can configure a chaining overlay
> that will chase referrals.
>
> 	database bdb
> 	suffix o=foo
> 	<back-bdb config directives>
> 	updateref ldap://master
> 	overlay chain
> 	back-ldap config directives:
> 	uri ldap://master
> 	binddn ...
> 	bindpw ...
>
> Note that since back-ldap only knows how to deal with a single target URI,
> (unlike back-meta, which handles multiple targets) this will only work if all
> your referrals point to the same server. At some point we'll overhaul
> back-ldap and add multiple target functionality to it...
>
> There is no documentation for this feature yet, the code is probably not in
> its final form.  At present, the way it works is by opening a session to the
> remote server, binding with the binddn/bindpw, and executing the operation
> with a proxyAuthz control set to the original user's DN. No DN mapping is
> performed on the user's DN - in this context, the master and slave server are
> supposed to have identical DITs so mapping should not be needed. Obviously
> the binddn must have proxy privileges on the master server.

Howard,

I setup overlay chain as described above, but I it does not work me.
Both slave and master DIT are the same.  The master ldap server is not
receiving any connection attempts from the slave.  ldapmodify on the slave
returns a referral url.  It appears that the overalay is not used.

$ ldapmodify -H ldap:/// -f ./i
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: igor
SASL SSF: 128
SASL installing layers
modifying entry "associatedDomain=ipass.net+cn=igor,ou=People,o=pb"
ldap_modify: Referral (10)
        referrals: ldaps://jupiter.ipass.net/associatedDomain=ipass.net+cn=igor,ou=People,o=pb

Any ideas?  (I use 2.2.11 and back-ldap is compiled in)

Thanks,
-- 
Igor

Follow-Ups:
- RE: referrals
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: slapd won't start
Next by Date: RE: referrals
Index(es):
- Chronological
- Thread