slapo-chain

SLAPO-CHAIN(5)                File Formats Manual               SLAPO-CHAIN(5)



NAME
       slapo-chain - chain overlay to slapd

SYNOPSIS
       /etc/openldap/slapd.conf

DESCRIPTION
       The chain overlay to slapd(8) allows automatic referral chasing.  Any
       time a referral is returned (except for bind operations), it is chased
       by using an instance of the ldap backend.  If operations are performed
       with an identity (i.e. after a bind), that identity can be asserted
       while chasing the referrals by means of the identity assertion feature
       of back-ldap (see slapd-ldap(5) for details), which is essentially
       based on the proxied authorization control [RFC 4370].  Referral
       chasing can be controlled by the client by issuing the chaining control
       (see draft-sermersheim-ldap-chaining for details.)


       The config directives that are specific to the chain overlay are
       prefixed by chain-, to avoid potential conflicts with directives
       specific to the underlying database or to other stacked overlays.


       There are very few chain overlay specific directives; however,
       directives related to the instances of the ldap backend that may be
       implicitly instantiated by the overlay may assume a special meaning
       when used in conjunction with this overlay.  They are described in
       slapd-ldap(5), and they also need to be prefixed by chain-.

       Note: this overlay is built into the ldap backend; it is not a separate
       module.


       overlay chain
              This directive adds the chain overlay to the current backend.
              The chain overlay may be used with any backend, but it is mainly
              intended for use with local storage backends that may return
              referrals.  It is useless in conjunction with the slapd-ldap and
              slapd-meta backends because they already exploit the libldap
              specific referral chase feature.  [Note: this may change in the
              future, as the ldap(5) and meta(5) backends might no longer
              chase referrals on their own.]

       chain-cache-uri {FALSE|true}
              This directive instructs the chain overlay to cache connections
              to URIs parsed out of referrals that are not predefined, to be
              reused for later chaining.  These URIs inherit the properties
              configured for the underlying slapd-ldap(5) before any
              occurrence of the chain-uri directive; basically, they are
              chained anonymously.

       chain-chaining [resolve=<r>] [continuation=<c>] [critical]
              This directive enables the chaining control (see draft-
              sermersheim-ldap-chaining for details) with the desired resolve
              and continuation behaviors and criticality.  The resolve
              parameter refers to the behavior while discovering a resource,
              namely when accessing the object indicated by the request DN;
              the continuation parameter refers to the behavior while handling
              intermediate responses, which is mostly significant for the
              search operation, but may affect extended operations that return
              intermediate responses.  The values r and c can be any of
              chainingPreferred, chainingRequired, referralsPreferred,
              referralsRequired.  If the critical flag affects the control
              criticality if provided.  [This control is experimental and its
              support may change in the future.]

       chain-max-depth <n>
              In case a referral is returned during referral chasing, further
              chasing occurs at most <n> levels deep.  Set to 1 (the default)
              to disable further referral chasing.

       chain-return-error {FALSE|true}
              In case referral chasing fails, the real error is returned
              instead of the original referral.  In case multiple referral
              URIs are present, only the first error is returned.  This
              behavior may not be always appropriate nor desirable, since
              failures in referral chasing might be better resolved by the
              client (e.g. when caused by distributed authentication issues).

       chain-uri <ldapuri>
              This directive instantiates a new underlying ldap database and
              instructs it about which URI to contact to chase referrals.  As
              opposed to what stated in slapd-ldap(5), only one URI can appear
              after this directive; all subsequent slapd-ldap(5) directives
              prefixed by chain- refer to this specific instance of a remote
              server.

       Directives for configuring the underlying ldap database may also be
       required, as shown in this example:

              overlay                 chain
              chain-rebind-as-user    FALSE

              chain-uri               "ldap://ldap1.example.com"
              chain-rebind-as-user    TRUE
              chain-idassert-bind     bindmethod="simple"
                                      binddn="cn=Auth,dc=example,dc=com"
                                      credentials="secret"
                                      mode="self"

              chain-uri               "ldap://ldap2.example.com"
              chain-idassert-bind     bindmethod="simple"
                                      binddn="cn=Auth,dc=example,dc=com"
                                      credentials="secret"
                                      mode="none"


       Any valid directives for the ldap database may be used; see
       slapd-ldap(5) for details.  Multiple occurrences of the chain-uri
       directive may appear, to define multiple "trusted" URIs where
       operations with identity assertion are chained.  All URIs not listed in
       the configuration are chained anonymously.  All slapd-ldap(5)
       directives appearing before the first occurrence of chain-uri are
       inherited by all URIs, unless specifically overridden inside each URI
       configuration.

FILES
       /etc/openldap/slapd.conf
              default slapd configuration file

SEE ALSO
       slapd.conf(5), slapd-config(5), slapd-ldap(5), slapd(8).

AUTHOR
       Originally implemented by Howard Chu; extended by Pierangelo Masarati.



OpenLDAP 2.4.40                   2014/09/20                    SLAPO-CHAIN(5)