1SLAPO-CHAIN(5)                File Formats Manual               SLAPO-CHAIN(5)
2
3
4

NAME

6       slapo-chain - chain overlay to slapd
7

SYNOPSIS

9       /etc/openldap/slapd.conf
10

DESCRIPTION

12       The  chain  overlay to slapd(8) allows automatic referral chasing.  Any
13       time a referral is returned (except for bind operations), it is  chased
14       by  using an instance of the ldap backend.  If operations are performed
15       with an identity (i.e. after a bind), that  identity  can  be  asserted
16       while  chasing the referrals by means of the identity assertion feature
17       of back-ldap (see slapd-ldap(5)  for  details),  which  is  essentially
18       based  on the proxied authorization control [RFC 4370].  Referral chas‐
19       ing can be controlled by the client by  issuing  the  chaining  control
20       (see draft-sermersheim-ldap-chaining for details.)
21
22
23       The  config  directives that are specific to the chain overlay are pre‐
24       fixed by chain-, to avoid potential conflicts with directives  specific
25       to the underlying database or to other stacked overlays.
26
27
28       There  are  very few chain overlay specific directives; however, direc‐
29       tives related to the instances of the ldap backend that may be  implic‐
30       itly instantiated by the overlay may assume a special meaning when used
31       in conjunction with this overlay.  They are described in slapd-ldap(5),
32       and they also need to be prefixed by chain-.
33
34       Note: this overlay is built into the ldap backend; it is not a separate
35       module.
36
37
38       overlay chain
39              This directive adds the chain overlay to  the  current  backend.
40              The chain overlay may be used with any backend, but it is mainly
41              intended for use with local storage  backends  that  may  return
42              referrals.  It is useless in conjunction with the slapd-ldap and
43              slapd-meta backends because they  already  exploit  the  libldap
44              specific  referral chase feature.  [Note: this may change in the
45              future, as the ldap(5) and  meta(5)  backends  might  no  longer
46              chase referrals on their own.]
47
48       chain-cache-uri {FALSE|true}
49              This  directive instructs the chain overlay to cache connections
50              to URIs parsed out of referrals that are not predefined,  to  be
51              reused  for  later  chaining.  These URIs inherit the properties
52              configured for the underlying slapd-ldap(5)  before  any  occur‐
53              rence  of  the  chain-uri directive; basically, they are chained
54              anonymously.
55
56       chain-chaining [resolve=<r>] [continuation=<c>] [critical]
57              This directive enables the chaining control  (see  draft-sermer‐
58              sheim-ldap-chaining  for  details)  with the desired resolve and
59              continuation behaviors and criticality.  The  resolve  parameter
60              refers to the behavior while discovering a resource, namely when
61              accessing the object indicated by the request DN; the  continua‐
62              tion  parameter refers to the behavior while handling intermedi‐
63              ate responses, which is mostly significant for the search opera‐
64              tion,  but may affect extended operations that return intermedi‐
65              ate responses.  The values r and c can be  any  of  chainingPre‐
66              ferred, chainingRequired, referralsPreferred, referralsRequired.
67              If the critical flag affects the  control  criticality  if  pro‐
68              vided.  [This control is experimental and its support may change
69              in the future.]
70
71       chain-max-depth <n>
72              In case a referral is returned during referral chasing,  further
73              chasing  occurs at most <n> levels deep.  Set to 1 (the default)
74              to disable further referral chasing.
75
76       chain-return-error {FALSE|true}
77              In case referral chasing  fails,  the  real  error  is  returned
78              instead  of  the  original  referral.  In case multiple referral
79              URIs are present, only the first error is returned.  This behav‐
80              ior  may not be always appropriate nor desirable, since failures
81              in referral chasing might be better resolved by the client (e.g.
82              when caused by distributed authentication issues).
83
84       chain-uri <ldapuri>
85              This  directive  instantiates a new underlying ldap database and
86              instructs it about which URI to contact to chase referrals.   As
87              opposed to what stated in slapd-ldap(5), only one URI can appear
88              after this directive; all  subsequent  slapd-ldap(5)  directives
89              prefixed  by  chain- refer to this specific instance of a remote
90              server.
91
92       Directives for configuring the underlying ldap  database  may  also  be
93       required, as shown in this example:
94
95              overlay                 chain
96              chain-rebind-as-user    FALSE
97
98              chain-uri               "ldap://ldap1.example.com"
99              chain-rebind-as-user    TRUE
100              chain-idassert-bind     bindmethod="simple"
101                                      binddn="cn=Auth,dc=example,dc=com"
102                                      credentials="secret"
103                                      mode="self"
104
105              chain-uri               "ldap://ldap2.example.com"
106              chain-idassert-bind     bindmethod="simple"
107                                      binddn="cn=Auth,dc=example,dc=com"
108                                      credentials="secret"
109                                      mode="none"
110
111
112       Any   valid   directives  for  the  ldap  database  may  be  used;  see
113       slapd-ldap(5) for  details.   Multiple  occurrences  of  the  chain-uri
114       directive  may  appear,  to define multiple "trusted" URIs where opera‐
115       tions with identity assertion are chained.  All URIs not listed in  the
116       configuration  are  chained  anonymously.  All slapd-ldap(5) directives
117       appearing before the first occurrence of chain-uri are inherited by all
118       URIs, unless specifically overridden inside each URI configuration.
119

FILES

121       /etc/openldap/slapd.conf
122              default slapd configuration file
123

SEE ALSO

125       slapd.conf(5), slapd-config(5), slapd-ldap(5), slapd(8).
126

AUTHOR

128       Originally implemented by Howard Chu; extended by Pierangelo Masarati.
129
130
131
132OpenLDAP 2.4.47                   2018/12/19                    SLAPO-CHAIN(5)
Impressum