[Date Prev][Date Next] [Chronological] [Thread] [Top]

referral with authentication

To: openldap-software@openldap.org
Subject: referral with authentication
From: "Sabine Hanß" <sabine.hanss@charite.de>
Date: Mon, 18 Jan 2010 08:36:26 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=charite.de; h= content-transfer-encoding:content-type:content-type:mime-version :user-agent:from:from:subject:subject:date:date:message-id :received:received:received:received; s=default; t=1263800188; bh=rO7BnIbqY6ALaZ+SEJL4dpjLQ0RYd4Rvpm2hSYT9kfM=; b=qNxMh8Bl86Vt lexwcgBKzOXL7Hna96cvd5tdQbHmMXRg76WyEhh7AlzGs/SBnrK0p2vOPaO7N/7u bpkGmA9fXWgYTsVZgXrGQwBpKjlJoUZMAcqmQXFGsTeYsOEJZS3z1yilkg+QFzr7 s2v4iY3OjiTMrstJsl2f9bvkygceyYQ=
User-agent: SquirrelMail/1.4.20RC1

Hi list,

I'm having some problems getting referrals working at the moment.  I have a
situation where not all user data is stored on one server, but distributed
over two servers.  Server A is always asked for user authentication, however
in some cases that information wont be stored there but on server B instead.
In fact with some users, absolutely no information will be stored about them
at all on Server A.  In these cases, server A has to refer to server B.
There are in my opinion two patterns to do the referral:

1. Server A sends only the referral back to the client and the client
itself asks Server B for authentication.

2. Through the configuration option overlay chain the server A sends the
authentication to server B, which should then provide the validation, and
then pass it back to the client.

In my scenario the client (liferay portal - http://www.liferay.com) the
client should do the referral.
So I have tried using the Subordinate Knowledge style, which as I
understand is the correct method for this type of authentication.
I have checked also to see if any data at all is passed from server A to
server B, but none at all is passed.
When I search (with ldapsearch) users stored in server B I get as result
the reference:

# search reference
ref: ldap://serverA:389/cn=subtree,dc=suffix??sub

When I try to authenticate via a user stored in server B I get this error
message:
bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989)

The referral object I created on Server A was from the following ldif file:

dn: cn=subtree,dc=suffix
objectClass: referral
objectClass: extensibleObject
cn: subtree
ref: ldap://serverA:389/cn=subtree,dc=suffix

and I also set the ACLs to

access to * by * read
access to attrs=userPassword by anonymous auth

I also tried the overlay chain, but I doubt if this is the right way to
solve my problem. To except the case that the client does something wrong
I'm looking for a client to simply test my scenario.
ldapsearch can't test the authentication, I think.
I now find myself quite lost as to what is going on and appreciate with some
help from someone.

Thank you and best regards
Sabine

-- 
Sabine Hanß *** email sabine.hanss@charite.de

Prev by Date: Re: idassert-bind, etc., assistance
Next by Date: Re: trouble setting initial replication between multiple masters
Index(es):
- Chronological
- Thread