[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Distributed LDAP

Imobach Gonz?lez Sosa (igonzalez@becarios.ulpgc.es) wrote:
> Hi all,
> We're trying to set up a distributed LDAP service and I haven't found 
> comprehensive documentation on how accomplish that. Any link to such 
> documentation?

It's actually not that difficult, and is explained in the OL Administrator's
Guide, but I'll comment anyhow.

> However, that thread is 5 years old and maybe things has changed from this 
> days. So, I'll repeat some of them. First of all, the scenario: we've got two 
> servers (oneserver and otherserver). "oneserver" suffix is 
> "dc=my-domain,dc=com" and we wanna delegate "ou=People,dc=my-domain,dc=com" 
> to "otherserver".
> 1) suffix in oneserver is "dc=my-domain,dc=com". Is mandatory suffix in 
> "otherserver" to be "ou=People,dc=my-domain,dc=com"?
Yes, it is. Unless you use some mediation device which translates DNs on-the-fly.

> 2) How authentication is accomplished in "otherserver". Suppose that I use a 
> "user" "cn=proxyuser,dc=my-domain,dc=com" to bind to "oneserver". If I query 
> on "dc=my-domain,dc=com" and the entry I'm looking for is in "otherserver", 
> how 'oneserver' knows which binddn must use? Is the client the responsible of 
> knowing about it?

With referrals, the client is responsible for knowing in advance all required
credentials for connecting to referred servers, if anonymous access is not
allowed for the desired operation.

The other alternative is called "chaining", where the server fetches the remote
entries on your behalf and you don't need multiple sets of credentials. I don't
believe that OL supports this, but I could be wrong.

> Ok, I guess that implementing a distributed ldap services is easier than 
> understand my message with my poor english skill ;-) Sorry!

I understand your english just fine. Nothing to apologize about.