1SLAPO-CHAIN(5) File Formats Manual SLAPO-CHAIN(5)
2
3
4
6 slapo-chain - chain overlay to slapd
7
9 /etc/openldap/slapd.conf
10
12 The chain overlay to slapd(8) allows automatic referral chasing. Any
13 time a referral is returned (except for bind operations), it is chased
14 by using an instance of the ldap backend. If operations are performed
15 with an identity (i.e. after a bind), that identity can be asserted
16 while chasing the referrals by means of the identity assertion feature
17 of back-ldap (see slapd-ldap(5) for details), which is essentially
18 based on the proxied authorization control [RFC 4370]. Referral chas‐
19 ing can be controlled by the client by issuing the chaining control
20 (see draft-sermersheim-ldap-chaining for details.)
21
22
23 The config directives that are specific to the chain overlay are pre‐
24 fixed by chain-, to avoid potential conflicts with directives specific
25 to the underlying database or to other stacked overlays.
26
27
28 There are very few chain overlay specific directives; however, direc‐
29 tives related to the instances of the ldap backend that may be implic‐
30 itly instantiated by the overlay may assume a special meaning when used
31 in conjunction with this overlay. They are described in slapd-ldap(5),
32 and they also need to be prefixed by chain-.
33
34 Note: this overlay is built into the ldap backend; it is not a separate
35 module.
36
37
38 overlay chain
39 This directive adds the chain overlay to the current backend.
40 The chain overlay may be used with any backend, but it is mainly
41 intended for use with local storage backends that may return re‐
42 ferrals. It is useless in conjunction with the slapd-ldap and
43 slapd-meta backends because they already exploit the libldap
44 specific referral chase feature. [Note: this may change in the
45 future, as the ldap(5) and meta(5) backends might no longer
46 chase referrals on their own.]
47
48 chain-cache-uri {FALSE|true}
49 This directive instructs the chain overlay to cache connections
50 to URIs parsed out of referrals that are not predefined, to be
51 reused for later chaining. These URIs inherit the properties
52 configured for the underlying slapd-ldap(5) before any occur‐
53 rence of the chain-uri directive; basically, they are chained
54 anonymously.
55
56 chain-chaining [resolve=<r>] [continuation=<c>] [critical]
57 This directive enables the chaining control (see draft-sermer‐
58 sheim-ldap-chaining for details) with the desired resolve and
59 continuation behaviors and criticality. The resolve parameter
60 refers to the behavior while discovering a resource, namely when
61 accessing the object indicated by the request DN; the continua‐
62 tion parameter refers to the behavior while handling intermedi‐
63 ate responses, which is mostly significant for the search opera‐
64 tion, but may affect extended operations that return intermedi‐
65 ate responses. The values r and c can be any of chainingPre‐
66 ferred, chainingRequired, referralsPreferred, referralsRequired.
67 If the critical flag affects the control criticality if pro‐
68 vided. [This control is experimental and its support may change
69 in the future.]
70
71 chain-max-depth <n>
72 In case a referral is returned during referral chasing, further
73 chasing occurs at most <n> levels deep. Set to 1 (the default)
74 to disable further referral chasing.
75
76 chain-return-error {FALSE|true}
77 In case referral chasing fails, the real error is returned in‐
78 stead of the original referral. In case multiple referral URIs
79 are present, only the first error is returned. This behavior
80 may not be always appropriate nor desirable, since failures in
81 referral chasing might be better resolved by the client (e.g.
82 when caused by distributed authentication issues).
83
84 chain-uri <ldapuri>
85 This directive instantiates a new underlying ldap database and
86 instructs it about which URI to contact to chase referrals. As
87 opposed to what stated in slapd-ldap(5), only one URI can appear
88 after this directive; all subsequent slapd-ldap(5) directives
89 prefixed by chain- refer to this specific instance of a remote
90 server.
91
92 Directives for configuring the underlying ldap database may also be re‐
93 quired, as shown in this example:
94
95 overlay chain
96 chain-rebind-as-user FALSE
97
98 chain-uri "ldap://ldap1.example.com"
99 chain-rebind-as-user TRUE
100 chain-idassert-bind bindmethod="simple"
101 binddn="cn=Auth,dc=example,dc=com"
102 credentials="secret"
103 mode="self"
104
105 chain-uri "ldap://ldap2.example.com"
106 chain-idassert-bind bindmethod="simple"
107 binddn="cn=Auth,dc=example,dc=com"
108 credentials="secret"
109 mode="none"
110
111
112 Any valid directives for the ldap database may be used; see
113 slapd-ldap(5) for details. Multiple occurrences of the chain-uri di‐
114 rective may appear, to define multiple "trusted" URIs where operations
115 with identity assertion are chained. All URIs not listed in the con‐
116 figuration are chained anonymously. All slapd-ldap(5) directives ap‐
117 pearing before the first occurrence of chain-uri are inherited by all
118 URIs, unless specifically overridden inside each URI configuration.
119
121 /etc/openldap/slapd.conf
122 default slapd configuration file
123
125 slapd.conf(5), slapd-config(5), slapd-ldap(5), slapd(8).
126
128 Originally implemented by Howard Chu; extended by Pierangelo Masarati.
129
130
131
132OpenLDAP 2.6.3 2022/07/14 SLAPO-CHAIN(5)