[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Referrals and ACL



Pierangelo Masarati wrote:

Jochen Witte wrote:

Hello,

I try to create a distributed ldap. Is it possible to bind as a user,
which is stored in a referred server, e.g.:

Server1:
--------
ou=unit1,dc=foo,dc=bar
uid=user,ou=corp1,dc=foo,dc=bar
(Subordinate info for Server2)

Server2:
--------
ou=subunit1,ou=unit1,dc=foo,dc=bar
(referral: ldap://Server1/)

I now want to use Server2 as "uid=user,ou=corp1,dc=foo,dc=bar" -- is
this possible?


Yes and no. Binds cannot chase referrals (for obvious reasons); you could do something like that by adding a "chain" overlay to Server1 and use Server1 for all operations (assuming Server1 has a superior referral pointing to Server2). The chain overlay is available since 2.2, but I've never played with it. I'm pretty sure the version that comes with 2.3 behaves as described above (in some cases you may need to use the chain overlay as a global overlay, i.e. configure it at the frontend level, before any database definition).

I think this case is better handled by glue/subordinate and an explicit back-ldap configuration. You still must direct all queries to server1, so it's mostly equivalent. (In general, chaining to subordinates and gluing subordinates with back-ldap is equivalent...)


--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support