Provided by: slapd_2.4.11-0ubuntu6_i386 bug


       slapo-chain - chain overlay to slapd




       The  chain  overlay to slapd(8) allows automatic referral chasing.  Any
       time a referral is returned (except for bind operations), it is  chased
       by  using an instance of the ldap backend.  If operations are performed
       with an identity (i.e. after a bind), that  identity  can  be  asserted
       while  chasing the referrals by means of the identity assertion feature
       of back-ldap (see slapd-ldap(5)  for  details),  which  is  essentially
       based  on  the  proxied  authorization  control  [RFC  4370].  Referral
       chasing can be controlled by the client by issuing the chaining control
       (see draft-sermersheim-ldap-chaining for details.)

       The  config  directives  that  are  specific  to  the chain overlay are
       prefixed by  chain-,  to  avoid  potential  conflicts  with  directives
       specific to the underlying database or to other stacked overlays.

       There   are  very  few  chain  overlay  specific  directives;  however,
       directives related to the instances of the ldap  backend  that  may  be
       implicitly  instantiated  by  the  overlay may assume a special meaning
       when used in conjunction with this  overlay.   They  are  described  in
       slapd-ldap(5), and they also need to be prefixed by chain-.

       overlay chain
              This  directive  adds  the chain overlay to the current backend.
              The chain overlay may be used with any backend, but it is mainly
              intended  for  use  with  local storage backends that may return
              referrals.  It is useless in conjunction with the slapd-ldap and
              slapd-meta  backends  because  they  already exploit the libldap
              specific referral chase feature.  [Note: this may change in  the
              future,  as  the  ldap(5)  and  meta(5) backends might no longer
              chase referrals on their own.]

       chain-cache-uri {FALSE|true}
              This directive instructs the chain overlay to cache  connections
              to  URIs  parsed out of referrals that are not predefined, to be
              reused for later chaining.  These URIs  inherit  the  properties
              configured   for   the   underlying   slapd-ldap(5)  before  any
              occurrence of  the  chain-uri  directive;  basically,  they  are
              chained anonymously.

       chain-chaining [resolve=<r>] [continuation=<c>] [critical]
              This   directive   enables  the  chaining  control  (see  draft-
              sermersheim-ldap-chaining for details) with the desired  resolve
              and   continuation   behaviors  and  criticality.   The  resolve
              parameter refers to the behavior while discovering  a  resource,
              namely  when  accessing  the object indicated by the request DN;
              the continuation parameter refers to the behavior while handling
              intermediate  responses,  which  is  mostly  significant for the
              search operation, but may affect extended operations that return
              intermediate  responses.   The  values  r  and  c  can be any of
              chainingPreferred,     chainingRequired,     referralsPreferred,
              referralsRequired.   If  the  critical  flag affects the control
              criticality if provided.  [This control is experimental and  its
              support may change in the future.]

       chain-max-depth <n>
              In  case a referral is returned during referral chasing, further
              chasing occurs at most <n> levels deep.  Set to 1 (the  default)
              to disable further referral chasing.

       chain-return-error {FALSE|true}
              In  case  referral  chasing  fails,  the  real error is returned
              instead of the original referral.   In  case  multiple  referral
              URIs  are  present,  only  the  first  error  is returned.  This
              behavior may not be  always  appropriate  nor  desirable,  since
              failures  in  referral  chasing  might be better resolved by the
              client (e.g. when caused by distributed authentication  issues).

       chain-uri <ldapuri>
              This  directive  instantiates a new underlying ldap database and
              instructs it about which URI to contact to chase referrals.   As
              opposed to what stated in slapd-ldap(5), only one URI can appear
              after this directive; all  subsequent  slapd-ldap(5)  directives
              prefixed  by  chain- refer to this specific instance of a remote

       Directives for configuring the underlying ldap  database  may  also  be
       required, as shown in this example:

              overlay                 chain
              chain-rebind-as-user    FALSE

              chain-uri               "ldap://"
              chain-rebind-as-user    TRUE
              chain-idassert-bind     bindmethod="simple"

              chain-uri               "ldap://"
              chain-idassert-bind     bindmethod="simple"

       Any  valid  directives  for  the  ldap database may be used; see slapd-
       ldap(5) for details.  Multiple occurrences of the  chain-uri  directive
       may  appear,  to  define  multiple "trusted" URIs where operations with
       identity  assertion  are  chained.   All  URIs  not   listed   in   the
       configuration  are  chained  anonymously.  All slapd-ldap(5) directives
       appearing before the first occurrence of chain-uri are inherited by all
       URIs, unless specifically overridden inside each URI configuration.


              default slapd configuration file


       slapd.conf(5), slapd-ldap(5), slapd(8).


       Originally  implemented by Howard Chu; extended by Pierangelo Masarati.