[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Chain 2 master LDap

To: openldap-technical@openldap.org
Subject: Re: Chain 2 master LDap
From: Dieter Klünter <dieter@dkluenter.de>
Date: Thu, 12 Jan 2017 18:10:12 +0100
In-reply-to: <57D51A7F4D47224C84813432ED2B21A3E9EBAB8A88@THSONEA01CMS12P.one.grp>
Organization: AVCI
References: <57D51A7F4D47224C84813432ED2B21A3E9EBAB8A88@THSONEA01CMS12P.one.grp>

Am Tue, 10 Jan 2017 18:45:50 +0100
schrieb BENICHOU Fabrice - Contractor
<fabrice.benichou@external.thalesaleniaspace.com>:

> Hello, I try to chain 2  LDAP master (Provider):
> 
> My system is :
> -1 Master "central"  with suffix="dc=com" : I contains ldap posix
> user like "adminCentral". -1 Master "local" with suffix="dc=com": It
> contains ldap posix user like"adminlocal". The goal is to chain
> request when  a ldapclient   ask to  Master "local" : this later
> shall chain the request to Master "central"   and get back the result
> to client. For example, if  "uid=adminCentral,User,dc=com" is not
> found in Master "local" LDAP, the Master "local" LDAP shall find if
> this Entry exists in Master "central"
> 
> 
> 1)      Is it possible for a Master, to chain via overlay with
> "olcDbURI"  parameter to another master? I only see example where
> Slave (Consummer) are chaining to Master (Provider)..
> 
> 2)      My Master "local" is configured with TLS : it has a
> Master_pem certificate, and a rootCA_local.pem (used in fact to
> authentify a local slave for replication). How to have TLS between
> "Master local" and "Master central"? If the rootCA_central.pem (trust
> chain) is not the same that the a rootCA_local.pem, how to complete
> the trust chain of the Master local?
> 
> My work is based on documentation :
> http://www.zytrax.com/books/ldap/ch7/referrals.html#chaining (7.3.5).
> 
> but the full documentation is not available and I use dynamic
> configuration with "olc". I have also found at
> http://serverfault.com/questions/518407/openldap-2-4-chain-overlay-minimal-ldif-configuration
> the  Chain Overlay Minimal LDIF Configuration But the delegation does
> not work. Anyone does have a tutorial ?

You should read OpenLDAP documentation and not other unreliable sources.
man slapo-chain(5) provides sufficient information. You may consider
slapd-relay(5) as an alternative solution.

http://www.openldap.org/doc/admin24/overlays.html#Chaining
http://www.openldap.org/doc/admin24/backends.html#Relay

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

References:
- Chain 2 master LDap
  - From: BENICHOU Fabrice - Contractor <fabrice.benichou@external.thalesaleniaspace.com>

Prev by Date: Re: slapd-meta with olc
Next by Date: Re: Slapd.conf for doing stress
Index(es):
- Chronological
- Thread