Hi list,

I'm having some problems getting referrals working at the moment. I have a situation where not all user data is stored on one server, but distributed over two servers. Server A is always asked for user authentication, however in some cases that information wont be stored there but on server B instead. In fact with some users, absolutely no information will be stored about them at all on Server A. In these cases, server A has to refer to server B. There are in my opinion two patterns to do the referral:

1. Server A sends only the referral back to the client and the client itself asks Server B for authentication.

2. Through the configuration option overlay chain the server A sends the authentication to server B, which should then provide the validation, and then pass it back to the client.

In my scenario the client (liferay portal - http://www.liferay.com) the client should do the referral. So I have tried using the Subordinate Knowledge style, which as I understand is the correct method for this type of authentication. I have checked also to see if any data at all is passed from server A to server B, but none at all is passed. When I search (with ldapsearch) users stored in server B I get as result the reference:

# search reference ref: ldap://serverA:389/cn=subtree,dc=suffix??sub

When I try to authenticate via a user stored in server B I get this error message: bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989)

The referral object I created on Server A was from the following ldif file:

dn: cn=subtree,dc=suffix objectClass: referral objectClass: extensibleObject cn: subtree ref: ldap://serverA:389/cn=subtree,dc=suffix

and I also set the ACLs to

access to * by * read access to attrs=userPassword by anonymous auth

I also tried the overlay chain, but I doubt if this is the right way to solve my problem. To except the case that the client does something wrong I'm looking for a client to simply test my scenario. ldapsearch can't test the authentication, I think. I now find myself quite lost as to what is going on and appreciate with some help from someone.

Thank you and best regards Sabine