[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: openldap-technical Digest, Vol 110, Issue 14

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: openldap-technical Digest, Vol 110, Issue 14
From: BENICHOU Fabrice - Contractor <fabrice.benichou@external.thalesaleniaspace.com>
Date: Mon, 16 Jan 2017 16:08:06 +0100
Accept-language: fr-FR
Acceptlanguage: fr-FR
Content-language: fr-FR
In-reply-to: <mailman.1.1484481601.18835.openldap-technical@openldap.org>
References: <mailman.1.1484481601.18835.openldap-technical@openldap.org>
Thread-index: AdJvJv2oDkPyrVuASA2acUEd1yxRfAA3+lBA
Thread-topic: openldap-technical Digest, Vol 110, Issue 14

Hello, I would like to clarify my problem:
My 2 LDAP servers (configured as Provider) shares the same Tree (DIT) (same part of tree):
- "Server local" manages the whole tree with the structure :
dc=com
ou=People,dc=com
	uid=local_admin,ou=People,dc=com
ou=Group,dc=com

- "Server central" manages a database with the SAME  tree structure  but with other account
dc=com
ou=People,dc=com
	uid= central_admin  ,ou=People,dc=com
ou=Group,dc=com

Is it possible to configure the "Server local" to delegates the request to "Server Central" if an account is not found locally?
For example, with LDAPSEARCH:
>ldapsearch -H  ldaps://Server-local.com   -b  ou=dcom  -w private -D "cn=Admin,dc=com"  uid=central_admin  mail  -x -C 
=>  This Fails: the Serve Local does not return the "Server central" to Ldapsearch.

However, if I change the DIT of "Server central" in order to be  different, the Ldap delegation works. For example:
- "Server central"  's DIT:
dc=com2
ou=People,dc=com2
	uid= central_admin  ,ou=People,dc=com2
ou=Group,dc=com2

>ldapsearch -H  ldaps://Server-local.com   -b  ou=com2  -w private -D "cn=Admin,dc=com"  uid=central_admin  mail  -x -C 
=> This works:
Dn: uid=adminCentral,ou=People,dc=com2
Mail: admin_central@com2.com

Ldapsearch 's traces contains referral  url:
"ldap_chase_v3_referral: msgid 2, url "ldaps:// Server-central.com /dc=com2 ??sub"

It seems that no referral is returned if the tree are identical: it is possible to configure the Ldap server "local"  to return the referral to the "central (root)  if the local query fails?
OpenLdap Admin Guide (version 2.4) , chapter  5.2.1.3 (olcReferral) says "This directive specifies the referral to pass back when salpd cannot find a local database to handle a request".

Best regards
Fb


[@@ THALES ALENIA SPACE INTERNAL @@]


-----Message d'origine-----
De : openldap-technical [mailto:openldap-technical-bounces@openldap.org] De la part de openldap-technical-request@openldap.org
Envoyé : dimanche 15 janvier 2017 13:00
À : openldap-technical@openldap.org
Objet : openldap-technical Digest, Vol 110, Issue 14

Send openldap-technical mailing list submissions to
	openldap-technical@openldap.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://www.openldap.org/lists/mm/listinfo/openldap-technical
or, via email, send a message with subject or body 'help' to
	openldap-technical-request@openldap.org

You can reach the person managing the list at
	openldap-technical-owner@openldap.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of openldap-technical digest..."


Send openldap-technical mailing list submissions to
       openldap-technical@openldap.org
When replying, please edit your Subject: header so it is more specific than "Re: openldap-technical digest..."

Today's Topics:

   1. Re: Generic Referrals never received. (Quanah Gibson-Mount)


----------------------------------------------------------------------

Message: 1
Date: Sat, 14 Jan 2017 11:57:57 -0800
From: Quanah Gibson-Mount <quanah@symas.com>
To: BENICHOU Fabrice - Contractor
	<fabrice.benichou@external.thalesaleniaspace.com>,
	openldap-technical@openldap.org
Subject: Re: Generic Referrals never received.
Message-ID: <F3905FAB793AC520D721F0B1@[192.168.1.30]>
Content-Type: text/plain; charset=us-ascii; format=flowed

--On Friday, January 13, 2017 5:16 PM +0100 BENICHOU Fabrice - Contractor <fabrice.benichou@external.thalesaleniaspace.com> wrote:

> the configuration of "localserver.domain.com" is:
>
> dn: cn=config
>
> objectClass: olcGlobal
>
> cn: config
>
> olcArgsFile: /var/run/openldap/slapd.args
>
> olcPidFile: /var/run/openldap/slapd.pid
>
> olcTLSCACertificatePath: /etc/openldap/certs
>
> olcTLSCertificateFile: "OpenLDAP Server"
>
> olcTLSCertificateKeyFile: /etc/openldap/certs/password
>
> structuralObjectClass: olcGlobal
>
> creatorsName: cn=config
>
> olcReferral: ldaps://centralserver.domain.com
>
> olcLogLevel: -1

This is not a full configuration.  It looks like you simply cut and pasted the cn=config.ldif file.  You would want to slapcat the cn=config DB to get the full config database.  I'm assuming you're trying to report a configuration issue on your end with back-ldap or similar.  You'd most likely want to only provide the relevant configuration details for that portion of the configuration database.

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>




------------------------------

Subject: Digest Footer

_______________________________________________
openldap-technical mailing list
openldap-technical@openldap.org
http://www.openldap.org/lists/mm/listinfo/openldap-technical


------------------------------

End of openldap-technical Digest, Vol 110, Issue 14
***************************************************

Prev by Date: Re: Generic Referrals never received.
Next by Date: LDAP search rule to find group owners
Index(es):
- Chronological
- Thread