Hello list,

I'm having some trouble with following referrals and especially ManageDSAiT.

When I request the supported controls here's what I get:

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: supportedControl
#

#
dn:
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

So the ManageDSAiT (2.16.840.1.113730.3.4.2) is meant to be supported. However if I try any search (or add, etc) with the -M parameter (or if I use JNDI where I believe this control is set by default) The referrals aren't followed and I have the following logged error and no result is returned (not even a referral record):
Jul 18 11:45:03 linuxAeL1 slapd[4163]: begin get_filter
Jul 18 11:45:03 linuxAeL1 slapd[4163]: EQUALITY
Jul 18 11:45:03 linuxAeL1 slapd[4163]: end get_filter 0
Jul 18 11:45:03 linuxAeL1 slapd[4163]:     filter: (uid=jlsteiner1000f)
Jul 18 11:45:03 linuxAeL1 slapd[4163]: => get_ctrls
Jul 18 11:45:03 linuxAeL1 slapd[4163]: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
Jul 18 11:45:03 linuxAeL1 slapd[4163]: <= get_ctrls: n=1 rc=0 err=""
Jul 18 11:45:03 linuxAeL1 slapd[4163]:     attrs:
Jul 18 11:45:03 linuxAeL1 slapd[4163]:
Jul 18 11:45:03 linuxAeL1 slapd[4163]: conn=41 op=1 SRCH base="o=EtatGE,c=CH" scope=2 deref=3 filter="(uid=jlsteiner1000f)"
Jul 18 11:45:03 linuxAeL1 slapd[4163]: slap_global_control: unavailable control: 2.16.840.1.113730.3.4.2


I really don't understand why this last line is coming up.

I configured openLDAP with the followings: ./configure --enable-backends --enable-overlays --enable-tls --enable-acl

Here's my slapd.conf:


# NOTES: inetorgperson picks up attributes and objectclasses
#        from all three schemas
#
# NB: RH Linux schemas in /etc/openldap
#
 
include        /usr/local/etc/openldap/schema/core.schema
include        /usr/local/etc/openldap/schema/cosine.schema
include        /usr/local/etc/openldap/schema/inetorgperson.schema
include     /usr/local/etc/openldap/schema/openca.schema
include     /usr/local/etc/openldap/schema/ldappc.schema
include     /usr/local/etc/openldap/schema/kitneduperson.schema
 
# DON'T bother with ARGS file unless you feel strongly
# slapd scripts stop scripts need this to work
pidfile /var/run/slapd.pid
 
# enable a lot of logging - we might need it
# but generates huge logs
#loglevel Conns Sync Filter
loglevel -1
 
# NO dynamic backend modules
 
# TLS-enabled connections
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/var/openldap-data/cacert.pem
TLSCertificateFile /usr/local/var/openldap-data/ldapcrt.pem
TLSCertificateKeyFile /usr/local/var/openldap-data/ldapkey.pem



#Here I added the chaining

overlay chain



 
#######################################################################
# bdb database definitions

# replace example and com below with a suitable domain

# If you don't have a domain you can leave it since example.com
# is reserved for experimentation or change them to my and inc
#
#######################################################################
database        monitor
access to dn.subtree=cn=monitor
     by dn.exact=cn=Manager,o=example,c=ch write
     by dn.subtree=o=example,c=ch read
     by * write
 
database bdb
suffix "o=example,c=ch"
# root or superuser
rootdn "cn=Manager,o=example,c=ch"

rootpw secret
# The database directory MUST exist prior to running slapd AND 
# change path as necessary
directory    /usr/local/var/openldap-data
 
# Indices to maintain for this directory
# unique id so equality match only
index    uid    eq
# allows general searching on commonname, givenname and email
index    cn,gn,mail    eq,sub
# allows multiple variants on surname searching
#index    sn    eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
#index    ou    eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
index    default    eq,sub
 

 
# other database parameters
# read more in slapd.conf reference section
cachesize 10000
checkpoint 128 15

dbconfig set_cachesize 0 30000000 0
dbconfig set_lg_bsize 3000000
dbconfig set_flags DB_LOG_AUTOREMOVE

dbcachesize 350000



Also as an aside question, I'm not sure I understand why the server is doing the recursion referral correctly ( i.e. it returns the correct record fetched on the second server instead of the referral record) when I *don't* put the -M option...

As I'm a little lost in those referral questions and I didn't find relevant information I hope someone can clarify this for me.


Best,

Christophe.