access to *
 by * write

That's awfully permissive; most sites would consider a least privilege model as a Good Idea. Of course Your Needs May Vary.
Thanks. This is just for testing.
 

Result:
adding new entry "ou=groups,dc=mycompany,dc=com"
ldapadd: Referral (10)
      referrals:
              ldap://master.server:389/ou=groups,dc=mycompany,dc=com
[...]

How can I trace the referral? Thank you.

No, that's the end, nothing to trace. That is, the URI printed above -- that is the referral -- end of story. All working properly at this point. It's the client's job to decide what to do with the referral. In the case of OpenLDAP clients, it prints it, nothing more.

Thank you. I assume that openldap slave will transfer to master. My assumption is wrong.
 


You may code a custom client that handles the referral, if you desire. (Hopefully this would be locked down to ensure that it only talks to your trusted servers. The inability to determine if a server is trusted or untrusted is why referral chasing is not supported with OpenLDAP clients.)

Another idea would be to use the slapo-chain examples described on this list, e.g. http://www.openldap.org/lists/openldap-software/200709/msg00054.html. Since the slapo-chain will only go to the explicitly configured URI you trust, it may be construed as safer than having clients jump around randomly.

I shall have a study. Thank you very much!


--
John 3:16 For God so loved the world, that He gave His only begotten Son, that whoever believes in Him shall not perish, but have eternal life.
http://www.hkccc.org/flash2.htm