1SLAPO-CHAIN(5)                File Formats Manual               SLAPO-CHAIN(5)
2
3
4

NAME

6       slapo-chain - chain overlay to slapd
7

SYNOPSIS

9       /etc/openldap/slapd.conf
10

DESCRIPTION

12       The  chain  overlay to slapd(8) allows automatic referral chasing.  Any
13       time a referral is returned (except for bind operations), it is  chased
14       by  using an instance of the ldap backend.  If operations are performed
15       with an identity (i.e. after a bind), that  identity  can  be  asserted
16       while  chasing the referrals by means of the identity assertion feature
17       of back-ldap (see slapd-ldap(5)  for  details),  which  is  essentially
18       based  on the proxied authorization control [RFC 4370].  Referral chas‐
19       ing can be controlled by the client by  issuing  the  chaining  control
20       (see draft-sermersheim-ldap-chaining for details.)
21
22
23       The  config  directives that are specific to the chain overlay are pre‐
24       fixed by chain-, to avoid potential conflicts with directives  specific
25       to the underlying database or to other stacked overlays.
26
27
28       There  are  very few chain overlay specific directives; however, direc‐
29       tives related to the instances of the ldap backend that may be  implic‐
30       itly instantiated by the overlay may assume a special meaning when used
31       in conjunction with this overlay.  They are described in slapd-ldap(5),
32       and they also need to be prefixed by chain-.
33
34       Note: this overlay is built into the ldap backend; it is not a separate
35       module.
36
37
38       overlay chain
39              This directive adds the chain overlay to  the  current  backend.
40              The chain overlay may be used with any backend, but it is mainly
41              intended for use with local storage backends that may return re‐
42              ferrals.   It  is useless in conjunction with the slapd-ldap and
43              slapd-meta backends because they  already  exploit  the  libldap
44              specific  referral chase feature.  [Note: this may change in the
45              future, as the ldap(5) and  meta(5)  backends  might  no  longer
46              chase referrals on their own.]
47
48       chain-cache-uri {FALSE|true}
49              This  directive instructs the chain overlay to cache connections
50              to URIs parsed out of referrals that are not predefined,  to  be
51              reused  for  later  chaining.  These URIs inherit the properties
52              configured for the underlying slapd-ldap(5)  before  any  occur‐
53              rence  of  the  chain-uri directive; basically, they are chained
54              anonymously.
55
56       chain-chaining [resolve=<r>] [continuation=<c>] [critical]
57              This directive enables the chaining control  (see  draft-sermer‐
58              sheim-ldap-chaining  for  details)  with the desired resolve and
59              continuation behaviors and criticality.  The  resolve  parameter
60              refers to the behavior while discovering a resource, namely when
61              accessing the object indicated by the request DN; the  continua‐
62              tion  parameter refers to the behavior while handling intermedi‐
63              ate responses, which is mostly significant for the search opera‐
64              tion,  but may affect extended operations that return intermedi‐
65              ate responses.  The values r and c can be  any  of  chainingPre‐
66              ferred, chainingRequired, referralsPreferred, referralsRequired.
67              If the critical flag affects the  control  criticality  if  pro‐
68              vided.  [This control is experimental and its support may change
69              in the future.]
70
71       chain-max-depth <n>
72              In case a referral is returned during referral chasing,  further
73              chasing  occurs at most <n> levels deep.  Set to 1 (the default)
74              to disable further referral chasing.
75
76       chain-return-error {FALSE|true}
77              In case referral chasing fails, the real error is  returned  in‐
78              stead  of the original referral.  In case multiple referral URIs
79              are present, only the first error is  returned.   This  behavior
80              may  not  be always appropriate nor desirable, since failures in
81              referral chasing might be better resolved by  the  client  (e.g.
82              when caused by distributed authentication issues).
83
84       chain-uri <ldapuri>
85              This  directive  instantiates a new underlying ldap database and
86              instructs it about which URI to contact to chase referrals.   As
87              opposed to what stated in slapd-ldap(5), only one URI can appear
88              after this directive; all  subsequent  slapd-ldap(5)  directives
89              prefixed  by  chain- refer to this specific instance of a remote
90              server.
91
92       Directives for configuring the underlying ldap database may also be re‐
93       quired, as shown in this example:
94
95              overlay                 chain
96              chain-rebind-as-user    FALSE
97
98              chain-uri               "ldap://ldap1.example.com"
99              chain-rebind-as-user    TRUE
100              chain-idassert-bind     bindmethod="simple"
101                                      binddn="cn=Auth,dc=example,dc=com"
102                                      credentials="secret"
103                                      mode="self"
104
105              chain-uri               "ldap://ldap2.example.com"
106              chain-idassert-bind     bindmethod="simple"
107                                      binddn="cn=Auth,dc=example,dc=com"
108                                      credentials="secret"
109                                      mode="none"
110
111
112       Any   valid   directives  for  the  ldap  database  may  be  used;  see
113       slapd-ldap(5) for details.  Multiple occurrences of the  chain-uri  di‐
114       rective  may appear, to define multiple "trusted" URIs where operations
115       with identity assertion are chained.  All URIs not listed in  the  con‐
116       figuration  are  chained anonymously.  All slapd-ldap(5) directives ap‐
117       pearing before the first occurrence of chain-uri are inherited  by  all
118       URIs, unless specifically overridden inside each URI configuration.
119

FILES

121       /etc/openldap/slapd.conf
122              default slapd configuration file
123

SEE ALSO

125       slapd.conf(5), slapd-config(5), slapd-ldap(5), slapd(8).
126

AUTHOR

128       Originally implemented by Howard Chu; extended by Pierangelo Masarati.
129
130
131
132OpenLDAP 2.6.3                    2022/07/14                    SLAPO-CHAIN(5)
Impressum