bionic (5) slapo-chain.5.gz

Provided by: slapd_2.4.45+dfsg-1ubuntu1.11_amd64 bug

NAME

       slapo-chain - chain overlay to slapd

SYNOPSIS

       /etc/ldap/slapd.conf

DESCRIPTION

       The chain overlay to slapd(8) allows automatic referral chasing.  Any time a referral is returned (except
       for bind operations), it is chased by using an instance of the ldap backend.  If operations are performed
       with  an identity (i.e. after a bind), that identity can be asserted while chasing the referrals by means
       of the identity assertion feature of back-ldap (see slapd-ldap(5)  for  details),  which  is  essentially
       based  on the proxied authorization control [RFC 4370].  Referral chasing can be controlled by the client
       by issuing the chaining control (see draft-sermersheim-ldap-chaining for details.)

       The config directives that are specific to the chain overlay are prefixed by chain-, to  avoid  potential
       conflicts with directives specific to the underlying database or to other stacked overlays.

       There are very few chain overlay specific directives; however, directives related to the instances of the
       ldap backend that may be implicitly instantiated by the overlay may assume a special meaning when used in
       conjunction with this overlay.  They are described in slapd-ldap(5), and they also need to be prefixed by
       chain-.

       Note: this overlay is built into the ldap backend; it is not a separate module.

       overlay chain
              This directive adds the chain overlay to the current backend.  The chain overlay may be used  with
              any  backend,  but  it  is  mainly  intended  for  use with local storage backends that may return
              referrals.  It is useless in conjunction with the slapd-ldap and slapd-meta backends because  they
              already  exploit  the  libldap  specific  referral  chase  feature.  [Note: this may change in the
              future, as the ldap(5) and meta(5) backends might no longer chase referrals on their own.]

       chain-cache-uri {FALSE|true}
              This directive instructs the chain overlay to cache connections to URIs parsed  out  of  referrals
              that  are  not  predefined,  to  be  reused for later chaining.  These URIs inherit the properties
              configured for the underlying slapd-ldap(5) before any  occurrence  of  the  chain-uri  directive;
              basically, they are chained anonymously.

       chain-chaining [resolve=<r>] [continuation=<c>] [critical]
              This directive enables the chaining control (see draft-sermersheim-ldap-chaining for details) with
              the desired resolve and continuation behaviors and criticality.  The resolve parameter  refers  to
              the  behavior  while  discovering  a  resource,  namely when accessing the object indicated by the
              request DN; the  continuation  parameter  refers  to  the  behavior  while  handling  intermediate
              responses,  which  is  mostly  significant  for  the  search  operation,  but  may affect extended
              operations  that  return  intermediate  responses.   The  values  r  and   c   can   be   any   of
              chainingPreferred,  chainingRequired, referralsPreferred, referralsRequired.  If the critical flag
              affects the control criticality if provided.  [This control is experimental and  its  support  may
              change in the future.]

       chain-max-depth <n>
              In  case a referral is returned during referral chasing, further chasing occurs at most <n> levels
              deep.  Set to 1 (the default) to disable further referral chasing.

       chain-return-error {FALSE|true}
              In case referral chasing fails, the real error is returned instead of the original  referral.   In
              case  multiple referral URIs are present, only the first error is returned.  This behavior may not
              be always appropriate nor desirable, since failures in referral chasing might be  better  resolved
              by the client (e.g. when caused by distributed authentication issues).

       chain-uri <ldapuri>
              This  directive  instantiates  a  new underlying ldap database and instructs it about which URI to
              contact to chase referrals.  As opposed to what stated in slapd-ldap(5), only one URI  can  appear
              after  this  directive;  all  subsequent slapd-ldap(5) directives prefixed by chain- refer to this
              specific instance of a remote server.

       Directives for configuring the underlying ldap database may also be required, as shown in this example:

              overlay                 chain
              chain-rebind-as-user    FALSE

              chain-uri               "ldap://ldap1.example.com"
              chain-rebind-as-user    TRUE
              chain-idassert-bind     bindmethod="simple"
                                      binddn="cn=Auth,dc=example,dc=com"
                                      credentials="secret"
                                      mode="self"

              chain-uri               "ldap://ldap2.example.com"
              chain-idassert-bind     bindmethod="simple"
                                      binddn="cn=Auth,dc=example,dc=com"
                                      credentials="secret"
                                      mode="none"

       Any valid directives for the ldap  database  may  be  used;  see  slapd-ldap(5)  for  details.   Multiple
       occurrences  of  the  chain-uri  directive may appear, to define multiple "trusted" URIs where operations
       with identity assertion are chained.  All URIs not listed in the configuration are  chained  anonymously.
       All  slapd-ldap(5)  directives  appearing  before  the first occurrence of chain-uri are inherited by all
       URIs, unless specifically overridden inside each URI configuration.

FILES

       /etc/ldap/slapd.conf
              default slapd configuration file

SEE ALSO

       slapd.conf(5), slapd-config(5), slapd-ldap(5), slapd(8).

AUTHOR

       Originally implemented by Howard Chu; extended by Pierangelo Masarati.