[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How To (correctly) reference an LDAP entry



Christian Marg writes:
> I have some entries in my own OpenLDAP server (Server A, Base:
> dc=tu-clausthal,dc=de) and would like to link each of them to entries
> stored on a foreign LDAP Server (Server B, Base: ou=X,o=Y,c=Z).
>
> I have added the "seeAlso"-attribute containing the DNs I want to link
> my LDAP-entries to, but since they are in another name space and on a
> foreign Server, they point to "nil".

No, "nil" is not an LDAP term - but maybe the LDAP entry contains no
seeAlso attribute, and your programming language returns "nil" for
attempts to look up an attribute which is not present in the entry.

Put the DNs of the entries in question in the seeAlso attribute, just
as you would do if the entries they point at were stored in server A.

Then set up server A so that attempts to look up an entry under
ou=X,o=Y,c=Z will return a referral to server B to the client, or will
cause server A to contact server B and return the results to the client.

The simplest way is to put
    referral ldap://server B/
in slapd.conf, so that attempts to look up _any_ entry outside
dc=tu-clausthal,dc=de in server A will return a referral to server B.

Or to get server A to contact server B, use "database ldap" with
suffix "ou=X,o=Y,c=Z" in server A, referring to server B.

Other options are to create a referral entry "ou=X,o=Y,c=Z" in server A,
and maybe to use the chain overlay to get A to contact B.  But probably
not in this simple case.

Note that authentication and access control can get troublesome with
cross-server trees.  (If you are authenticated when talking to server A,
and then look up something in server B, should B be contacted
anonymously or with the same DN or as something else?)

-- 
Hallvard