[Date Prev][Date Next] [Chronological] [Thread] [Top]

referral with authentication

Hi list,

I'm having some problems getting referrals working at the moment.  I have a
situation where not all user data is stored on one server, but distributed
over two servers.  Server A is always asked for user authentication, however
in some cases that information wont be stored there but on server B instead.
In fact with some users, absolutely no information will be stored about them
at all on Server A.  In these cases, server A has to refer to server B.
There are in my opinion two patterns to do the referral:

1. Server A sends only the referral back to the client and the client
itself asks Server B for authentication.

2. Through the configuration option overlay chain the server A sends the
authentication to server B, which should then provide the validation, and
then pass it back to the client.

In my scenario the client (liferay portal - http://www.liferay.com) the
client should do the referral.
So I have tried using the Subordinate Knowledge style, which as I
understand is the correct method for this type of authentication.
I have checked also to see if any data at all is passed from server A to
server B, but none at all is passed.
When I search (with ldapsearch) users stored in server B I get as result
the reference:

# search reference
ref: ldap://serverA:389/cn=subtree,dc=suffix??sub

When I try to authenticate via a user stored in server B I get this error
bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989)

The referral object I created on Server A was from the following ldif file:

dn: cn=subtree,dc=suffix
objectClass: referral
objectClass: extensibleObject
cn: subtree
ref: ldap://serverA:389/cn=subtree,dc=suffix

and I also set the ACLs to

access to * by * read
access to attrs=userPassword by anonymous auth

I also tried the overlay chain, but I doubt if this is the right way to
solve my problem. To except the case that the client does something wrong
I'm looking for a client to simply test my scenario.
ldapsearch can't test the authentication, I think.
I now find myself quite lost as to what is going on and appreciate with some
help from someone.

Thank you and best regards

Sabine Hanß *** email sabine.hanss@charite.de