[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Overlay glue
Eudes LEDUCQ writes:
> I have tried without success ... I search to do this but my two
> database are on different server. is it possible ?
Oh, I see. That's not a glue/subordinate matter.
With LDAP, if clients search one server for data which is stored in
another server, you normally set up the first server to return a
referral to the second in this case. When the client receives a
referral follows it (if this is enabled in the client) - i.e. it tries
the request against the second server.
If server A contains the tree with base "dc=example,dc=com" except that
the "ou=foo,dc=example,dc=com" tree is in server B, then you create an
entry "ou=foo,dc=example,dc=com" in server A with object class
"referral" which refers to server B:
dn: ou=foo,dc=example,dc=com
ou: foo
ref: ldap://B.example.com/ou=foo,dc=example,dc=com
objectClass: referral
objectClass: extensibleObject
OTOH, if you are going the other way (from B to A), then you can just
use the "referral" directive in B's slapd.conf to refer _all_ searches
above "ou=foo,dc=example,dc=com" to server A.
However, you can set up one server to search the other server for you
instead of returning a referral to the client:
For server B to contact server A, you would use two databases in B's
slapd.conf:
database bdb
suffix ou=foo,dc=example,dc=com
... just a usual BDB (or HDB or LDBM) database ...
# Actually I haven't tried if "subordinate" works here.
# Without it, searches based at dc=example,dc=com will not search
# ou=foo, only searches at or below ou=foo,... will do that.
subordinate
...
database ldap
suffix dc=example,dc=com
uri ldap://A.example.com/
Now access to the ou=foo,... tree will work as usual, while B contacts A
for access to the rest of the dc=example,dc=com tree.
For server A to contact server B you can do it the other way around in
A, but it's probably better to have just one database and the referral
object above, and use the "chain" overlay which will follows referrals
for you.
I don't know if the chain overlay and ldap database discover loops from
B to A to B to A, so I wouldn't set up both servers to chain to each
other without checking if that's a good idea.
Note that there are various restrictions on what you can do across
servers. Bind credentials may not be preserved (but there are config
directives for Bind), you cannot move objects between servers, aliases
between them don't work, etc.
See man slapd.conf, man slapd-ldap and man slapo-chain.
--
Hallvard