1SLAPO-CHAIN(5)                File Formats Manual               SLAPO-CHAIN(5)
2
3
4

NAME

6       slapo-chain - chain overlay
7

SYNOPSIS

9       /etc/openldap/slapd.conf
10

DESCRIPTION

12       The  chain  overlay to slapd(8) allows automatic referral chasing.  Any
13       time a referral is returned (except for bind operations), it chased  by
14       using  an  instance  of  the ldap backend.  If operations are performed
15       with an identity (i.e. after a bind), that  identity  can  be  asserted
16       while  chasing the referrals by means of the identity assertion feature
17       of back-ldap (see slapd-ldap(5)  for  details),  which  is  essentially
18       based  on  the  proxyAuthz  control (see draft-weltman-ldapv3-proxy for
19       details.)  Referral chasing can be controlled by the client by  issuing
20       the chaining control (see draft-sermersheim-ldap-chaining for details.)
21
22
23       The  config  directives that are specific to the chain overlay are pre‐
24       fixed by chain-, to avoid potential conflicts with directives  specific
25       to the underlying database or to other stacked overlays.
26
27
28       There  are  very few chain overlay specific directives; however, direc‐
29       tives related to the instances of the ldap backend that may be  implic‐
30       itly instantiated by the overlay may assume a special meaning when used
31       in conjunction with this overlay.  They are described in slapd-ldap(5),
32       and they also need be prefixed by chain-.
33
34       overlay chain
35              This  directive  adds  the chain overlay to the current backend.
36              The chain overlay may be used with any backend, but it is mainly
37              intended  for  use  with  local storage backends that may return
38              referrals.  It is useless in conjunction with the slapd-ldap and
39              slapd-meta  backends  because  they  already exploit the libldap
40              specific referral chase feature.  [Note: this may change in  the
41              future,  as  the  ldap(5)  and  meta(5) backends might no longer
42              chase referrals on their own.]
43
44       chain-chaining [resolve=<r>] [continuation=<c>] [critical]
45              This directive enables the chaining control  (see  draft-sermer‐
46              sheim-ldap-chaining  for  details)  with the desired resolve and
47              continuation behaviors and criticality.  The  resolve  parameter
48              refers to the behavior while discovering a resource, namely when
49              accessing the object indicated by the request DN; the  continua‐
50              tion  parameter refers to the behavior while handling intermedi‐
51              ate responses, which is mostly significant for the search opera‐
52              tion,  but may affect extended operations that return intermedi‐
53              ate responses.  The values r and c can be  any  of  chainingPre‐
54              ferred, chainingRequired, referralsPreferred, referralsRequired.
55              If the critical flag affects the  control  criticality  if  pro‐
56              vided.  [This control is experimental and its support may change
57              in the future.]
58
59       chain-cache-uri {FALSE|true}
60              This directive instructs the chain overlay to cache  connections
61              to  URIs  parsed out of referrals that are not predefined, to be
62              reused for later chaining.  These URIs  inherit  the  properties
63              configured  for  the  underlying slapd-ldap(5) before any occur‐
64              rence of the chain-uri directive; in  detail,  they  are  essen‐
65              tially chained anonymously.
66
67       chain-uri <ldapuri>
68              This  directive  instantiates a new underlying ldap database and
69              instructs it about which URI to contact to chase referrals.   As
70              opposed to what stated in slapd-ldap(5), only one URI can appear
71              after this directive; all  subsequent  slapd-ldap(5)  directives
72              prefixed  by  chain- refer to this specific instance of a remote
73              server.
74
75       Directives for configuring the underlying ldap  database  may  also  be
76       required, as shown in this example:
77
78              overlay                 chain
79              chain-rebind-as-user    FALSE
80
81              chain-uri               "ldap://ldap1.example.com"
82              chain-rebind-as-user    TRUE
83              chain-idassert-bind     bindmethod="simple"
84                                      binddn="cn=Auth,dc=example,dc=com"
85                                      credentials="secret"
86                                      mode="self"
87
88              chain-uri               "ldap://ldap2.example.com"
89              chain-idassert-bind     bindmethod="simple"
90                                      binddn="cn=Auth,dc=example,dc=com"
91                                      credentials="secret"
92                                      mode="none"
93
94
95       Any  valid  directives  for  the  ldap database may be used; see slapd-
96       ldap(5) for details.  Multiple occurrences of the  chain-uri  directive
97       may  appear,  to  define  multiple "trusted" URIs where operations with
98       identity assertion are chained.  All URIs not listed in the  configura‐
99       tion  are  chained anonymously.  All slapd-ldap(5) directives appearing
100       before the first occurrence of chain-uri are  inherited  by  all  URIs,
101       unless specifically overridden inside each URI configuration.
102

FILES

104       /etc/openldap/slapd.conf
105              default slapd configuration file
106

SEE ALSO

108       slapd.conf(5), slapd-ldap(5), slapd(8).
109

AUTHOR

111       Originally implemented by Howard Chu; extended by Pierangelo Masarati.
112
113
114
115OpenLDAP 2.3.34                    2007/2/16                    SLAPO-CHAIN(5)
Impressum