NAME
slapo-chain - chain overlay
SYNOPSIS
/etc/ldap/slapd.conf
DESCRIPTION
The
chain
overlay to
slapd(8)
allows automatic referral chasing.
Any time a referral is returned (except for bind operations),
it chased by using an instance of the ldap backend.
If operations are performed with an identity (i.e. after a bind),
that identity can be asserted while chasing the referrals
by means of the
identity assertion feature of back-ldap
(see
slapd-ldap(5)
for details), which is essentially based on the
proxyAuthz
control (see
draft-weltman-ldapv3-proxy for details.)
Referral chasing can be controlled by the client by issuing the
chaining control
(see
draft-sermersheim-ldap-chaining for details.)
The config directives that are specific to the
chain
overlay are prefixed by
R chain- ,
to avoid potential conflicts with directives specific to the underlying
database or to other stacked overlays.
There are very few chain overlay specific directives; however, directives
related to the instances of the
ldap backend that may be implicitly
instantiated by the overlay may assume a special meaning when used
in conjunction with this overlay. They are described in
slapd-ldap(5),
and they also need be prefixed by
R chain- .
overlay chain
This directive adds the chain overlay to the current backend.
The chain overlay may be used with any backend, but it is mainly
intended for use with local storage backends that may return referrals.
It is useless in conjunction with the slapd-ldap and slapd-meta
backends because they already exploit the libldap specific referral chase
feature.
[Note: this may change in the future, as the ldap(5) and
meta(5) backends might no longer chase referrals on their own.]
chain-chaining [resolve=<r>] [continuation=<c>] [critical]
This directive enables the chaining control
(see draft-sermersheim-ldap-chaining for details)
with the desired resolve and continuation behaviors and criticality.
The resolve parameter refers to the behavior while discovering
a resource, namely when accessing the object indicated by the request DN;
the continuation parameter refers to the behavior while handling
intermediate responses, which is mostly significant for the search
operation, but may affect extended operations that return intermediate
responses.
The values r and c can be any of
R chainingPreferred ,
R chainingRequired ,
R referralsPreferred ,
R referralsRequired .
If the critical flag affects the control criticality if provided.
[This control is experimental and its support may change in the future.]
chain-cache-uri {FALSE|true}
This directive instructs the chain overlay to cache
connections to URIs parsed out of referrals that are not predefined,
to be reused for later chaining.
These URIs inherit the properties configured for the underlying
slapd-ldap(5) before any occurrence of the chain-uri
directive; in detail, they are essentially chained anonymously.
chain-uri <ldapuri>
This directive instantiates a new underlying ldap database
and instructs it about which URI to contact to chase referrals.
As opposed to what stated in slapd-ldap(5), only one URI
can appear after this directive; all subsequent slapd-ldap(5)
directives prefixed by chain- refer to this specific instance
of a remote server.
Directives for configuring the underlying ldap database may also
be required, as shown in this example:
overlay chain
chain-rebind-as-user FALSE
chain-uri "ldap://ldap1.example.com"
chain-rebind-as-user TRUE
chain-idassert-bind bindmethod="simple"
binddn="cn=Auth,dc=example,dc=com"
credentials="secret"
mode="self"
chain-uri "ldap://ldap2.example.com"
chain-idassert-bind bindmethod="simple"
binddn="cn=Auth,dc=example,dc=com"
credentials="secret"
mode="none"
Any valid directives for the ldap database may be used; see
slapd-ldap(5)
for details.
Multiple occurrences of the
chain-uri directive may appear,
to define multiple "trusted" URIs where operations with
identity assertion are chained.
All URIs not listed in the configuration are chained anonymously.
All
slapd-ldap(5) directives appearing before the first
occurrence of
chain-uri are inherited by all URIs,
unless specifically overridden inside each URI configuration.
FILES
/etc/ldap/slapd.conf
default slapd configuration file
SEE ALSO
AUTHOR
Originally implemented by Howard Chu; extended by Pierangelo Masarati.