[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
referral with authentication
- To: openldap-software@openldap.org
- Subject: referral with authentication
- From: "Sabine Hanß" <sabine.hanss@charite.de>
- Date: Mon, 18 Jan 2010 08:36:26 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=charite.de; h= content-transfer-encoding:content-type:content-type:mime-version :user-agent:from:from:subject:subject:date:date:message-id :received:received:received:received; s=default; t=1263800188; bh=rO7BnIbqY6ALaZ+SEJL4dpjLQ0RYd4Rvpm2hSYT9kfM=; b=qNxMh8Bl86Vt lexwcgBKzOXL7Hna96cvd5tdQbHmMXRg76WyEhh7AlzGs/SBnrK0p2vOPaO7N/7u bpkGmA9fXWgYTsVZgXrGQwBpKjlJoUZMAcqmQXFGsTeYsOEJZS3z1yilkg+QFzr7 s2v4iY3OjiTMrstJsl2f9bvkygceyYQ=
- User-agent: SquirrelMail/1.4.20RC1
Hi list,
I'm having some problems getting referrals working at the moment. I have a
situation where not all user data is stored on one server, but distributed
over two servers. Server A is always asked for user authentication, however
in some cases that information wont be stored there but on server B instead.
In fact with some users, absolutely no information will be stored about them
at all on Server A. In these cases, server A has to refer to server B.
There are in my opinion two patterns to do the referral:
1. Server A sends only the referral back to the client and the client
itself asks Server B for authentication.
2. Through the configuration option overlay chain the server A sends the
authentication to server B, which should then provide the validation, and
then pass it back to the client.
In my scenario the client (liferay portal - http://www.liferay.com) the
client should do the referral.
So I have tried using the Subordinate Knowledge style, which as I
understand is the correct method for this type of authentication.
I have checked also to see if any data at all is passed from server A to
server B, but none at all is passed.
When I search (with ldapsearch) users stored in server B I get as result
the reference:
# search reference
ref: ldap://serverA:389/cn=subtree,dc=suffix??sub
When I try to authenticate via a user stored in server B I get this error
message:
bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989)
The referral object I created on Server A was from the following ldif file:
dn: cn=subtree,dc=suffix
objectClass: referral
objectClass: extensibleObject
cn: subtree
ref: ldap://serverA:389/cn=subtree,dc=suffix
and I also set the ACLs to
access to * by * read
access to attrs=userPassword by anonymous auth
I also tried the overlay chain, but I doubt if this is the right way to
solve my problem. To except the case that the client does something wrong
I'm looking for a client to simply test my scenario.
ldapsearch can't test the authentication, I think.
I now find myself quite lost as to what is going on and appreciate with some
help from someone.
Thank you and best regards
Sabine
--
Sabine Hanß *** email sabine.hanss@charite.de