slapo-chain(5)
SLAPO-CHAIN(5) FILE FORMATS SLAPO-CHAIN(5)
NAME
slapo-chain - chain overlay
SYNOPSIS
/etc/openldap/slapd.conf
DESCRIPTION
The chain overlay to slapd(8) allows automatic referral
chasing. Any time a referral is returned (except for bind
operations), it chased by using an instance of the ldap
backend. If operations are performed with an identity (i.e.
after a bind), that identity can be asserted while chasing
the referrals by means of the identity assertion feature of
back-ldap (see slapd-ldap(5) for details), which is essen-
tially based on the proxyAuthz control (see draft-weltman-
ldapv3-proxy for details.) Referral chasing can be con-
trolled by the client by issuing the chaining control (see
draft-sermersheim-ldap-chaining for details.)
The config directives that are specific to the chain overlay
are prefixed by chain-, to avoid potential conflicts with
directives specific to the underlying database or to other
stacked overlays.
There are very few chain overlay specific directives; how-
ever, directives related to the instances of the ldap back-
end that may be implicitly instantiated by the overlay may
assume a special meaning when used in conjunction with this
overlay. They are described in slapd-ldap(5), and they also
need be prefixed by chain-.
overlay chain
This directive adds the chain overlay to the current
backend. The chain overlay may be used with any back-
end, but it is mainly intended for use with local
storage backends that may return referrals. It is use-
less in conjunction with the slapd-ldap and slapd-meta
backends because they already exploit the libldap
specific referral chase feature. [Note: this may
change in the future, as the ldap(5) and meta(5) back-
ends might no longer chase referrals on their own.]
chain-chaining [resolve=<r>] [continuation=<c>] [critical]
This directive enables the chaining control (see
draft-sermersheim-ldap-chaining for details) with the
desired resolve and continuation behaviors and criti-
cality. The resolve parameter refers to the behavior
while discovering a resource, namely when accessing the
object indicated by the request DN; the continuation
parameter refers to the behavior while handling
OpenLDAP 2.3.27 Last change: 2006/08/19 1
SLAPO-CHAIN(5) FILE FORMATS SLAPO-CHAIN(5)
intermediate responses, which is mostly significant for
the search operation, but may affect extended opera-
tions that return intermediate responses. The values r
and c can be any of chainingPreferred, chainingRe-
quired, referralsPreferred, referralsRequired. If the
critical flag affects the control criticality if pro-
vided. [This control is experimental and its support
may change in the future.]
chain-cache-uri {FALSE|true}
This directive instructs the chain overlay to cache
connections to URIs parsed out of referrals that are
not predefined, to be reused for later chaining. These
URIs inherit the properties configured for the underly-
ing slapd-ldap(5) before any occurrence of the chain-
uri directive; in detail, they are essentially chained
anonymously.
chain-uri <ldapuri>
This directive instantiates a new underlying ldap data-
base and instructs it about which URI to contact to
chase referrals. As opposed to what stated in slapd-
ldap(5), only one URI can appear after this directive;
all subsequent slapd-ldap(5) directives prefixed by
chain- refer to this specific instance of a remote
server.
Directives for configuring the underlying ldap database may
also be required, as shown in this example:
overlay chain
chain-rebind-as-user FALSE
chain-uri "ldap://ldap1.example.com"
chain-rebind-as-user TRUE
chain-idassert-bind bindmethod="simple"
binddn="cn=Auth,dc=example,dc=com"
credentials="secret"
mode="self"
chain-uri "ldap://ldap2.example.com"
chain-idassert-bind bindmethod="simple"
binddn="cn=Auth,dc=example,dc=com"
credentials="secret"
mode="none"
Any valid directives for the ldap database may be used; see
slapd-ldap(5) for details. Multiple occurrences of the
chain-uri directive may appear, to define multiple "trusted"
URIs where operations with identity assertion are chained.
All URIs not listed in the configuration are chained
OpenLDAP 2.3.27 Last change: 2006/08/19 2
SLAPO-CHAIN(5) FILE FORMATS SLAPO-CHAIN(5)
anonymously. All slapd-ldap(5) directives appearing before
the first occurrence of chain-uri are inherited by all URIs,
unless specifically overridden inside each URI configura-
tion.
FILES
/etc/openldap/slapd.conf
default slapd configuration file
SEE ALSO
slapd.conf(5), slapd-ldap(5), slapd(8).
AUTHOR
Originally implemented by Howard Chu; extended by Pierangelo
Masarati.
OpenLDAP 2.3.27 Last change: 2006/08/19 3
Man(1) output converted with
man2html