Does anyone have a good starting point for OpenLDAP and referrals? I think I have it working, but I'm not 100% sure, and would like to know if I am on the right path.
Mack
Mack J. Jenkins, II writes:
Does anyone have a good starting point for OpenLDAP and referrals? I think I have it working, but I'm not 100% sure, and would like to know if I am on the right path.
If you mean to put referral objects in the directory: RFC 3296. In your referral objects, don't use a different DN in the 'ref' attribute than the referral object's DN.
If you want the server to follow the referrals instead of sending them to the client, see man slapo-chain.
Unless you just mean the 'referral' directive described in man slapd.conf - referrals for requests outside your "suffix" in slapd.conf.
What I am trying to do is this. When my OpenLDAP server is queried for authentication, if the user id and password are not local to my OpenLDAP server, but they do exist on another OpenLDAP server, I want my OpenLDAP server to tell the application that sent the log in request, to go to that other OpenLDAP server for authentication. I am hoping this can be done automatically without the user having to make another login attempt.
Here is what I have in my slapd.conf file. What what I have found, I thought this would work, but the applicaiton trying to log in, is not being passed off to the other OpenLDAP server.
database bdb suffix "dc=ilsvpn,dc=ibm,dc=com" rootdn "cn=anubis,dc=ilsvpn,dc=ibm,dc=com" rootpw stuff here directory /var/lib/ldap/ilsvpn mode 0600
dn: ou=bluepages,o=ibm.com objectClass: referral ref: ldaps://bluepages.ibm.com/ou=bluepages,o=ibm.com
Mack
On Fri, Feb 22, 2008 at 1:00 PM, Hallvard B Furuseth h.b.furuseth@usit.uio.no wrote:
Mack J. Jenkins, II writes:
Does anyone have a good starting point for OpenLDAP and referrals? I think I have it working, but I'm not 100% sure, and would like to know if I am on the right path.
If you mean to put referral objects in the directory: RFC 3296. In your referral objects, don't use a different DN in the 'ref' attribute than the referral object's DN.
If you want the server to follow the referrals instead of sending them to the client, see man slapo-chain.
Unless you just mean the 'referral' directive described in man slapd.conf - referrals for requests outside your "suffix" in slapd.conf.
-- Hallvard
Mack Jenkins wrote:
What I am trying to do is this. When my OpenLDAP server is queried for authentication, if the user id and password are not local to my OpenLDAP server, but they do exist on another OpenLDAP server, I want my OpenLDAP server to tell the application that sent the log in request, to go to that other OpenLDAP server for authentication. I am hoping this can be done automatically without the user having to make another login attempt.
You can't, since out of scope binds do not return referrals (AFAIK). You should rather look at gluing (see the "subordinate" directive in slapd.conf(5)) your local database with a proxy (see slapd-ldap(5)) that points to your other server.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
"Mack Jenkins" mack.jenkins@gmail.com writes:
What I am trying to do is this. When my OpenLDAP server is queried for authentication, if the user id and password are not local to my OpenLDAP server, but they do exist on another OpenLDAP server, I want my OpenLDAP server to tell the application that sent the log in request, to go to that other OpenLDAP server for authentication. I am hoping this can be done automatically without the user having to make another login attempt.
Your are requesting X.500 DAP services. LDAP only supports referrals. If uid is part of the DN, you may create a named referral locally and have the client to follow this referral and rebind to the remot server.
-Dieter
Dieter Kluenter wrote:
"Mack Jenkins"mack.jenkins@gmail.com writes:
What I am trying to do is this. When my OpenLDAP server is queried for authentication, if the user id and password are not local to my OpenLDAP server, but they do exist on another OpenLDAP server, I want my OpenLDAP server to tell the application that sent the log in request, to go to that other OpenLDAP server for authentication. I am hoping this can be done automatically without the user having to make another login attempt.
Your are requesting X.500 DAP services. LDAP only supports referrals. If uid is part of the DN, you may create a named referral locally and have the client to follow this referral and rebind to the remot server.
As Ando already pointed out, referrals are not the answer here, and OpenLDAP already provides other alternatives that will work.
So in my example, I am using Avential To authenticate against my OPENLdap server. If that account is not on the local OpenLDAP server, but on another OpenLDAP server, referrals will not pass along the request? I will have to look up X.500 DAP services and go that route? Just want to clarify before I abandon the referral route.
Mack
On Feb 26, 2008, at 6:07 AM, Howard Chu wrote:
Dieter Kluenter wrote:
"Mack Jenkins"mack.jenkins@gmail.com writes:
What I am trying to do is this. When my OpenLDAP server is queried for authentication, if the user id and password are not local to my OpenLDAP server, but they do exist on another OpenLDAP server, I want my OpenLDAP server to tell the application that sent the log in request, to go to that other OpenLDAP server for authentication. I am hoping this can be done automatically without the user having to make another login attempt.
Your are requesting X.500 DAP services. LDAP only supports referrals. If uid is part of the DN, you may create a named referral locally and have the client to follow this referral and rebind to the remot server.
As Ando already pointed out, referrals are not the answer here, and OpenLDAP already provides other alternatives that will work.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Mack J. Jenkins, II wrote:
So in my example, I am using Avential To authenticate against my OPENLdap server. If that account is not on the local OpenLDAP server, but on another OpenLDAP server, referrals will not pass along the request?
Please re-read the former response more carefully:
http://www.openldap.org/lists/openldap-software/200802/msg00348.html
Ando even mentioned the relevant man-pages.
I will have to look up X.500 DAP services and go that route?
Nope!
Just want to clarify before I abandon the referral route.
Referrals are a mess in most use-cases anyway.
Use back-ldap to pass the client's requests to the remote server and use "subordinate" directive in slapd.conf to glue it all together with your local database. Take care of separate names spaces (search bases and user IDs).
As usual OpenLDAP's FAQ-O-MATIC is a valuable source of information. These articles could give you an idea:
http://www.openldap.org/faq/data/cache/532.html
http://www.openldap.org/faq/data/cache/1299.html
And please read this stuff and try yourself!
Ciao, Michael.
openldap-software@openldap.org
-
Dieter Kluenter -
Hallvard B Furuseth -
Howard Chu -
Mack J. Jenkins, II -
Mack Jenkins
-
Michael Ströder -
Pierangelo Masarati