Christian Marg writes:
I have some entries in my own OpenLDAP server (Server A, Base: dc=tu-clausthal,dc=de) and would like to link each of them to entries stored on a foreign LDAP Server (Server B, Base: ou=X,o=Y,c=Z).
I have added the "seeAlso"-attribute containing the DNs I want to link my LDAP-entries to, but since they are in another name space and on a foreign Server, they point to "nil".
No, "nil" is not an LDAP term - but maybe the LDAP entry contains no seeAlso attribute, and your programming language returns "nil" for attempts to look up an attribute which is not present in the entry.
Put the DNs of the entries in question in the seeAlso attribute, just as you would do if the entries they point at were stored in server A.
Then set up server A so that attempts to look up an entry under ou=X,o=Y,c=Z will return a referral to server B to the client, or will cause server A to contact server B and return the results to the client.
The simplest way is to put referral ldap://server B/ in slapd.conf, so that attempts to look up _any_ entry outside dc=tu-clausthal,dc=de in server A will return a referral to server B.
Or to get server A to contact server B, use "database ldap" with suffix "ou=X,o=Y,c=Z" in server A, referring to server B.
Other options are to create a referral entry "ou=X,o=Y,c=Z" in server A, and maybe to use the chain overlay to get A to contact B. But probably not in this simple case.
Note that authentication and access control can get troublesome with cross-server trees. (If you are authenticated when talking to server A, and then look up something in server B, should B be contacted anonymously or with the same DN or as something else?)