Hello,
I have some entries in my own OpenLDAP server (Server A, Base: dc=tu-clausthal,dc=de) and would like to link each of them to entries stored on a foreign LDAP Server (Server B, Base: ou=X,o=Y,c=Z).
I have added the "seeAlso"-attribute containing the DNs I want to link my LDAP-entries to, but since they are in another name space and on a foreign Server, they point to "nil".
Do I have to rebuild the foreign namespace to just add a reference to the other server? How would I do that most cleverly on OpenLDAP?
Or is there another way to create (correct) external references?
Am I even using the "seeAlso" attribute correctly?
bye Christian
Christian Marg writes:
I have some entries in my own OpenLDAP server (Server A, Base: dc=tu-clausthal,dc=de) and would like to link each of them to entries stored on a foreign LDAP Server (Server B, Base: ou=X,o=Y,c=Z).
I have added the "seeAlso"-attribute containing the DNs I want to link my LDAP-entries to, but since they are in another name space and on a foreign Server, they point to "nil".
No, "nil" is not an LDAP term - but maybe the LDAP entry contains no seeAlso attribute, and your programming language returns "nil" for attempts to look up an attribute which is not present in the entry.
Put the DNs of the entries in question in the seeAlso attribute, just as you would do if the entries they point at were stored in server A.
Then set up server A so that attempts to look up an entry under ou=X,o=Y,c=Z will return a referral to server B to the client, or will cause server A to contact server B and return the results to the client.
The simplest way is to put referral ldap://server B/ in slapd.conf, so that attempts to look up _any_ entry outside dc=tu-clausthal,dc=de in server A will return a referral to server B.
Or to get server A to contact server B, use "database ldap" with suffix "ou=X,o=Y,c=Z" in server A, referring to server B.
Other options are to create a referral entry "ou=X,o=Y,c=Z" in server A, and maybe to use the chain overlay to get A to contact B. But probably not in this simple case.
Note that authentication and access control can get troublesome with cross-server trees. (If you are authenticated when talking to server A, and then look up something in server B, should B be contacted anonymously or with the same DN or as something else?)
Hallvard B Furuseth wrote: [...]
No, "nil" is not an LDAP term
Thats why I put it in quotes - I didn't have a better term to say "the DN cannot be found on the current server and the Client has no clue where to look for it".
Put the DNs of the entries in question in the seeAlso attribute, just as you would do if the entries they point at were stored in server A.
Then set up server A so that attempts to look up an entry under ou=X,o=Y,c=Z will return a referral to server B to the client, or will cause server A to contact server B and return the results to the client.
Ok, so I wasn't on the wrong way.
The simplest way is to put referral ldap://server B/ in slapd.conf, so that attempts to look up _any_ entry outside dc=tu-clausthal,dc=de in server A will return a referral to server B.
Hmm, I might have to refer to some other LDAP server in the future, so this is a bit too simple. Too bad that there isn't a "refer-to"-backend that just refers someone querying it's suffix to a different server.
Since I just want "referential integrity", i.e. the Server to know _something_ (even just a Referral) about a DN below "ou=X,o=Y,c=Z", I don't need the server to chase the referral. So I could add a second bdb (or even ldif!?) backend as Readonly etc, that just contains a referral entry for "ou=X,o=Y,c=Z"?
bye Christian
Christian Marg writes:
Hmm, I might have to refer to some other LDAP server in the future, so this is a bit too simple. Too bad that there isn't a "refer-to"-backend that just refers someone querying it's suffix to a different server.
Might be useful, yes.
Maybe the LDAP backend could get an option to not actually contact the remote server, just return a referral:-)
Since I just want "referential integrity", i.e. the Server to know _something_ (even just a Referral) about a DN below "ou=X,o=Y,c=Z", I don't need the server to chase the referral. So I could add a second bdb (or even ldif!?) backend as Readonly etc, that just contains a referral entry for "ou=X,o=Y,c=Z"?
Sound like it, yes. Not the LDIF backend, it wasn't written for "real" use like that. Hmph, I've got to get around to committing the patches I have for just that.
Yet another option is to compile with CPPFLAGS=-DBDB_MULTIPLE_SUFFIXES which makes BDB accept multiple suffixes in a single database. I don't know if that code is still good though. Might be suffering from code rot.
openldap-technical@openldap.org
-
Christian Marg -
Hallvard B Furuseth