[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Distributed LDAP

To: "Mike Jackson" <mj@sci.fi>
Subject: Re: Distributed LDAP
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Thu, 17 Mar 2005 12:45:40 +0100 (CET)
Cc: Imobach González Sosa <igonzalez@becarios.ulpgc.es>, openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <20050317112238.GB4581@rocket.netauth.com>
References: <200503170959.27711.igonzalez@becarios.ulpgc.es> <20050317112238.GB4581@rocket.netauth.com>
User-agent: SquirrelMail/1.4.3a-1

> Imobach Gonz?lez Sosa (igonzalez@becarios.ulpgc.es) wrote:
>> Hi all,
>>
>> We're trying to set up a distributed LDAP service and I haven't found
>> comprehensive documentation on how accomplish that. Any link to such
>> documentation?
>
> It's actually not that difficult, and is explained in the OL
> Administrator's
> Guide, but I'll comment anyhow.
>
>
>> However, that thread is 5 years old and maybe things has changed from
>> this
>> days. So, I'll repeat some of them. First of all, the scenario: we've
>> got two
>> servers (oneserver and otherserver). "oneserver" suffix is
>> "dc=my-domain,dc=com" and we wanna delegate
>> "ou=People,dc=my-domain,dc=com"
>> to "otherserver".
>>
>> 1) suffix in oneserver is "ou=People,dc=my-domain,dc=com. Is mandatory
suffix in
>> "otherserver" to be "ou=People,dc=my-domain,dc=com"?
>
> Yes, it is. Unless you use some mediation device which translates DNs
> on-the-fly.

Technically, it would be improper to have more than one DSA handle
portions of the same subtree, I concur.  Practically, you can design your
distributed system to share some portions of the tree, provided you do
take care of consistency.

e.g.  one may want to have a DSA that's a replica except for one subtree,
which should always be referred to the master DSA.  In this case, the
master and the replica would share the same namingContext, but the replica
would refer portions of the subtree back to the master.

>
>
>> 2) How authentication is accomplished in "otherserver". Suppose that I
>> use a
>> "user" "cn=proxyuser,dc=my-domain,dc=com" to bind to "oneserver". If I
>> query
>> on "dc=my-domain,dc=com" and the entry I'm looking for is in
>> "otherserver",
>> how 'oneserver' knows which binddn must use? Is the client the
>> responsible of
>> knowing about it?
>
> With referrals, the client is responsible for knowing in advance all
> required
> credentials for connecting to referred servers, if anonymous access is not
> allowed for the desired operation.
>
> The other alternative is called "chaining", where the server fetches the
> remote
> entries on your behalf and you don't need multiple sets of credentials. I
> don't
> believe that OL supports this, but I could be wrong.

It does in HEAD/2.3, by way of the chaining overlay, see slapo-chain(5)
for details; partial support is available in 2.2 as well, which should be
fine for most needs.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: Distributed LDAP
  - From: Mike Jackson <mj@sci.fi>

References:
- Distributed LDAP
  - From: Imobach González Sosa <igonzalez@becarios.ulpgc.es>
- Re: Distributed LDAP
  - From: Mike Jackson <mj@sci.fi>

Prev by Date: Re: Distributed LDAP
Next by Date: RE: ldapsearch and sasl
Index(es):
- Chronological
- Thread