[Date Prev][Date Next] [Chronological] [Thread] [Top]

Referrals



Hi,

I'm having some problems getting referrals working at the moment.  I have a
situation where not all user data is stored on one server, but distributed
over two servers.  Server A is always asked for user authentication, however
in some cases that information wont be stored there but on server B instead.
In fact with some users, absolutely no information will be stored about them
at all on Server A.  In these cases, server A has to send the request onto
server B, which should then provide the validation, pass that back to server
A which will then allow the user access.

I have tried using both the Subordinate Knowledge style, which as I
understand is the correct method for this type of authentication, and the
Superior Knowledge, which seems not to be correct for this situation.
Neither are working.  I have checked also using a tcpdump looking to see if
any data at all is passed from server A to server B, but none at all is
passed.

I now find myself quite lost as to what is going on and appreciate with some
help from someone.

Ian


The referral object I created on Server A was from the following ldif file:

dn: dc=subtree,dc=shnet,dc=at
objectClass: referral
objectClass: extensibleObject
dc: subtree
ref: ldap://195.26.207.166/dc=subtree,dc=shnet,dc=at


The slapd.conf file I have on Server A is:

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/krb5-kdc.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nadf.schema
include         /etc/openldap/schema/openldap.schema

schemacheck     on

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org
referal       ldap://195.26.207.166

# Timeout period in in seconds in which to wait for an answer from the ldap
search requests
# default is 3600
timelimit 30

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

#loglevel 9

# Load dynamic backend modules:
# modulepath    /usr/lib/openldap/openldap
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

#######################################################################
# ldbm database definitions
#######################################################################

database        ldbm
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory       /var/lib/ldap

suffix  "dc=shnet,dc=at"

rootdn  "uid=Manager,dc=shnet,dc=at"

# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
rootpw <you dont think Im going to give that away, do you?>

access to attr=userPassword,ldapPassword,clearTextPassword
 by * read
access to *
 by dn="uid=Manager,dc=shnet,dc=at" write
 by * read