[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Distributed LDAP

> Imobach Gonz?lez Sosa (igonzalez@becarios.ulpgc.es) wrote:
>> Hi all,
>> We're trying to set up a distributed LDAP service and I haven't found
>> comprehensive documentation on how accomplish that. Any link to such
>> documentation?
> It's actually not that difficult, and is explained in the OL
> Administrator's
> Guide, but I'll comment anyhow.
>> However, that thread is 5 years old and maybe things has changed from
>> this
>> days. So, I'll repeat some of them. First of all, the scenario: we've
>> got two
>> servers (oneserver and otherserver). "oneserver" suffix is
>> "dc=my-domain,dc=com" and we wanna delegate
>> "ou=People,dc=my-domain,dc=com"
>> to "otherserver".
>> 1) suffix in oneserver is "ou=People,dc=my-domain,dc=com. Is mandatory
suffix in
>> "otherserver" to be "ou=People,dc=my-domain,dc=com"?
> Yes, it is. Unless you use some mediation device which translates DNs
> on-the-fly.

Technically, it would be improper to have more than one DSA handle
portions of the same subtree, I concur.  Practically, you can design your
distributed system to share some portions of the tree, provided you do
take care of consistency.

e.g.  one may want to have a DSA that's a replica except for one subtree,
which should always be referred to the master DSA.  In this case, the
master and the replica would share the same namingContext, but the replica
would refer portions of the subtree back to the master.

>> 2) How authentication is accomplished in "otherserver". Suppose that I
>> use a
>> "user" "cn=proxyuser,dc=my-domain,dc=com" to bind to "oneserver". If I
>> query
>> on "dc=my-domain,dc=com" and the entry I'm looking for is in
>> "otherserver",
>> how 'oneserver' knows which binddn must use? Is the client the
>> responsible of
>> knowing about it?
> With referrals, the client is responsible for knowing in advance all
> required
> credentials for connecting to referred servers, if anonymous access is not
> allowed for the desired operation.
> The other alternative is called "chaining", where the server fetches the
> remote
> entries on your behalf and you don't need multiple sets of credentials. I
> don't
> believe that OL supports this, but I could be wrong.

It does in HEAD/2.3, by way of the chaining overlay, see slapo-chain(5)
for details; partial support is available in 2.2 as well, which should be
fine for most needs.


Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497