[Date Prev][Date Next] [Chronological] [Thread] [Top]

Rép. : Re: Overlay glue

To: <h.b.furuseth@usit.uio.no>
Subject: Rép. : Re: Overlay glue
From: "Eudes LEDUCQ" <LEDUCQ@hec.fr>
Date: Mon, 14 Nov 2005 16:28:46 +0100
Cc: <OpenLDAP-software@OpenLDAP.org>

Hi,

I have now in my directory a referral subtree like the exemple

     dn: ou=foo,dc=example,dc=com
     ou: foo
     ref: ldap://B.example.com/ou=foo,dc=example,dc=com
     objectClass: referral
     objectClass: extensibleObject

Now I have some java class which can search, add, modify entries in my
directory (thx novell).

The referral search work, but not the add or modify. The referral is
following , i sure (-> log) when i add a new entry, but it's don't
create the new entry. it's was not ACL , I sure too. so I don't
understand.
do I need have special parameters in server B ?

thx.

>>> Hallvard B Furuseth <h.b.furuseth@usit.uio.no> 11/10 7:54  >>>
Eudes LEDUCQ writes:
> I have tried without success ... I search to do this but my two
> database are on different server. is it possible ?

Oh, I see.  That's not a glue/subordinate matter.

With LDAP, if clients search one server for data which is stored in
another server, you normally set up the first server to return a
referral to the second in this case.  When the client receives a
referral follows it (if this is enabled in the client) - i.e. it tries
the request against the second server.

If server A contains the tree with base "dc=example,dc=com" except
that
the "ou=foo,dc=example,dc=com" tree is in server B, then you create an
entry "ou=foo,dc=example,dc=com" in server A with object class
"referral" which refers to server B:

      dn: ou=foo,dc=example,dc=com
      ou: foo
      ref: ldap://B.example.com/ou=foo,dc=example,dc=com
      objectClass: referral
      objectClass: extensibleObject

OTOH, if you are going the other way (from B to A), then you can just
use the "referral" directive in B's slapd.conf to refer _all_ searches
above "ou=foo,dc=example,dc=com" to server A.

However, you can set up one server to search the other server for you
instead of returning a referral to the client:

For server B to contact server A, you would use two databases in B's
slapd.conf:

   database bdb
   suffix ou=foo,dc=example,dc=com
   ... just a usual BDB (or HDB or LDBM) database ...
   # Actually I haven't tried if "subordinate" works here.
   # Without it, searches based at dc=example,dc=com will not search
   # ou=foo, only searches at or below ou=foo,... will do that.
   subordinate
   ...

   database ldap
   suffix dc=example,dc=com
   uri ldap://A.example.com/

Now access to the ou=foo,... tree will work as usual, while B contacts
A
for access to the rest of the dc=example,dc=com tree.

For server A to contact server B you can do it the other way around in
A, but it's probably better to have just one database and the referral
object above, and use the "chain" overlay which will follows referrals
for you.

I don't know if the chain overlay and ldap database discover loops
from
B to A to B to A, so I wouldn't set up both servers to chain to each
other without checking if that's a good idea.

Note that there are various restrictions on what you can do across
servers.  Bind credentials may not be preserved (but there are config
directives for Bind), you cannot move objects between servers, aliases
between them don't work, etc.

See man slapd.conf, man slapd-ldap and man slapo-chain.

-- 
Hallvard

Follow-Ups:
- Re: RÃp. : Re: Overlay glue
  - From: Jon Roberts <jon@jonanddeb.net>

Prev by Date: Re: Critical extension and Internal (implementation specific) errors
Next by Date: chain overlay
Index(es):
- Chronological
- Thread