[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using the referrals in (Open)LDAP?

To: denis.havlik@t-mobile.at
Subject: Re: Using the referrals in (Open)LDAP?
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 03 May 2004 10:09:40 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <OF66A41DE2.3F465D7E-ONC1256E89.0033A886-C1256E89.00353F09@ t-mobile.at>
References: <OF66A41DE2.3F465D7E-ONC1256E89.0033A886-C1256E89.00353F09@t-mobile.at>

At 02:41 AM 5/3/2004, denis.havlik@t-mobile.at wrote:

>Morning everyone 
>
>I just tried to find some documentation about openLDAP & referals, google must be on strike today. .-) 
>Anyone knows of some good referrals-specific HOWTO-like stuff? (I'm reading the relevant parts of the LDAP System Administration" right now, but apparently some parts of the "refferals story" are vendor specific, so I'll stil lneed something openLDAP specific too) 
>
>In particular, I'm interested in the following stuff: 
>
>1) Can referrals be added to directory like "normal" entries, or do I have to define them in slapd.conf? 

Depends on the kind of knowledge reference being added.
slapd(8) supports RFC 3296 "referral" objects for
subordinate and cross references.  Global superior
references are however added via slapd.conf(5)'s
'referral' directive.  And master references are
added via slapd.conf(5)'s 'updateref' directive.

>2) Who is chasing the referrals, client, or the server?

Either or both.

>If client, will the library take care of it,

For security reasons, the ldap(3) provides chasing facilities.

>or do I have to implement the logic for refferals chasing in the clients? 

It's up to the client to decide how to use the facilities
(hopefully it does so in coordination with the user).

In general, I suggest clients which chase to use the ldap(3)
features to obtain the referral/reference information directly.

>3) Assuming I've done an authenticated bind to server A, and the data is on server B, what needs to be done so that server B accepts me as "authenticated user"?

In general, authentication with B is completely independent of
any prior communication with A.

>That is, do I need to configure the trust relationships in addition to defining the referrals (and how)?

The library is unaware of what trust relationships might
exist.  You client needs to manage these itself.

>I'm a bit disapointed here. I can accept that LDAP has some limitations because of the distributed-directory nature, but this is exactly the kind of stuff i DO expect a distributed directory to be good at. :-( 

Client chasing is outside of the distributed directory: clients
are user agents not system agents.  If you want the directory
to managing distributed operations, then you need to use
server-side chaining (and chasing) instead.  That is,
back-ldap/back-meta.

Of course, back-ldap/back-meta are more designed to do simple
proxying (forwarding) of requests, not full-blown chaining.
The latter requires a chaining operation... coming soon to
an LDAP server near you.

Kurt

References:
- Using the referrals in (Open)LDAP?
  - From: denis.havlik@t-mobile.at

Prev by Date: RE: slow search on indexed attribute
Next by Date: Re: slow search on indexed attribute
Index(es):
- Chronological
- Thread