Hello, I would like to clarify my problem: My 2 LDAP servers (configured as Provider) shares the same Tree (DIT) (same part of tree): - "Server local" manages the whole tree with the structure : dc=com ou=People,dc=com uid=local_admin,ou=People,dc=com ou=Group,dc=com

- "Server central" manages a database with the SAME tree structure but with other account dc=com ou=People,dc=com uid= central_admin ,ou=People,dc=com ou=Group,dc=com

Is it possible to configure the "Server local" to delegates the request to "Server Central" if an account is not found locally? For example, with LDAPSEARCH:

ldapsearch -H ldaps://Server-local.com -b ou=dcom -w private -D "cn=Admin,dc=com" uid=central_admin mail -x -C

=> This Fails: the Serve Local does not return the "Server central" to Ldapsearch.

However, if I change the DIT of "Server central" in order to be different, the Ldap delegation works. For example: - "Server central" 's DIT: dc=com2 ou=People,dc=com2 uid= central_admin ,ou=People,dc=com2 ou=Group,dc=com2

ldapsearch -H ldaps://Server-local.com -b ou=com2 -w private -D "cn=Admin,dc=com" uid=central_admin mail -x -C

=> This works: Dn: uid=adminCentral,ou=People,dc=com2 Mail: admin_central@com2.com

Ldapsearch 's traces contains referral url: "ldap_chase_v3_referral: msgid 2, url "ldaps:// Server-central.com /dc=com2 ??sub"

It seems that no referral is returned if the tree are identical: it is possible to configure the Ldap server "local" to return the referral to the "central (root) if the local query fails? OpenLdap Admin Guide (version 2.4) , chapter 5.2.1.3 (olcReferral) says "This directive specifies the referral to pass back when salpd cannot find a local database to handle a request".

Best regards Fb

[@@ THALES ALENIA SPACE INTERNAL @@]

-----Message d'origine----- De : openldap-technical [mailto:openldap-technical-bounces@openldap.org] De la part de openldap-technical-request@openldap.org Envoyé : dimanche 15 janvier 2017 13:00 À : openldap-technical@openldap.org Objet : openldap-technical Digest, Vol 110, Issue 14

Send openldap-technical mailing list submissions to openldap-technical@openldap.org

To subscribe or unsubscribe via the World Wide Web, visit http://www.openldap.org/lists/mm/listinfo/openldap-technical or, via email, send a message with subject or body 'help' to openldap-technical-request@openldap.org

You can reach the person managing the list at openldap-technical-owner@openldap.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of openldap-technical digest..."

Send openldap-technical mailing list submissions to openldap-technical@openldap.org When replying, please edit your Subject: header so it is more specific than "Re: openldap-technical digest..."

Today's Topics:

1. Re: Generic Referrals never received. (Quanah Gibson-Mount)

----------------------------------------------------------------------

Message: 1 Date: Sat, 14 Jan 2017 11:57:57 -0800 From: Quanah Gibson-Mount quanah@symas.com To: BENICHOU Fabrice - Contractor fabrice.benichou@external.thalesaleniaspace.com, openldap-technical@openldap.org Subject: Re: Generic Referrals never received. Message-ID: <F3905FAB793AC520D721F0B1@[192.168.1.30]> Content-Type: text/plain; charset=us-ascii; format=flowed

--On Friday, January 13, 2017 5:16 PM +0100 BENICHOU Fabrice - Contractor fabrice.benichou@external.thalesaleniaspace.com wrote:

the configuration of "localserver.domain.com" is:

dn: cn=config

objectClass: olcGlobal

cn: config

olcArgsFile: /var/run/openldap/slapd.args

olcPidFile: /var/run/openldap/slapd.pid

olcTLSCACertificatePath: /etc/openldap/certs

olcTLSCertificateFile: "OpenLDAP Server"

olcTLSCertificateKeyFile: /etc/openldap/certs/password

structuralObjectClass: olcGlobal

creatorsName: cn=config

olcReferral: ldaps://centralserver.domain.com

olcLogLevel: -1

This is not a full configuration. It looks like you simply cut and pasted the cn=config.ldif file. You would want to slapcat the cn=config DB to get the full config database. I'm assuming you're trying to report a configuration issue on your end with back-ldap or similar. You'd most likely want to only provide the relevant configuration details for that portion of the configuration database.

Regards, Quanah

--

Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com

------------------------------

Subject: Digest Footer

_______________________________________________ openldap-technical mailing list openldap-technical@openldap.org http://www.openldap.org/lists/mm/listinfo/openldap-technical

------------------------------

End of openldap-technical Digest, Vol 110, Issue 14 ***************************************************