Am Tue, 10 Jan 2017 18:45:50 +0100 schrieb BENICHOU Fabrice - Contractor fabrice.benichou@external.thalesaleniaspace.com:
Hello, I try to chain 2 LDAP master (Provider):
My system is : -1 Master "central" with suffix="dc=com" : I contains ldap posix user like "adminCentral". -1 Master "local" with suffix="dc=com": It contains ldap posix user like"adminlocal". The goal is to chain request when a ldapclient ask to Master "local" : this later shall chain the request to Master "central" and get back the result to client. For example, if "uid=adminCentral,User,dc=com" is not found in Master "local" LDAP, the Master "local" LDAP shall find if this Entry exists in Master "central"
Is it possible for a Master, to chain via overlay with"olcDbURI" parameter to another master? I only see example where Slave (Consummer) are chaining to Master (Provider)..
My Master "local" is configured with TLS : it has aMaster_pem certificate, and a rootCA_local.pem (used in fact to authentify a local slave for replication). How to have TLS between "Master local" and "Master central"? If the rootCA_central.pem (trust chain) is not the same that the a rootCA_local.pem, how to complete the trust chain of the Master local?
My work is based on documentation : http://www.zytrax.com/books/ldap/ch7/referrals.html#chaining (7.3.5).
but the full documentation is not available and I use dynamic configuration with "olc". I have also found at http://serverfault.com/questions/518407/openldap-2-4-chain-overlay-minimal-l... the Chain Overlay Minimal LDIF Configuration But the delegation does not work. Anyone does have a tutorial ?
You should read OpenLDAP documentation and not other unreliable sources. man slapo-chain(5) provides sufficient information. You may consider slapd-relay(5) as an alternative solution.
http://www.openldap.org/doc/admin24/overlays.html#Chaining http://www.openldap.org/doc/admin24/backends.html#Relay
-Dieter