Provided by: slapd_2.4.42+dfsg-2ubuntu3.13_amd64 bug


       slapo-chain - chain overlay to slapd




       The  chain  overlay to slapd(8) allows automatic referral chasing.  Any time a referral is
       returned (except for bind operations), it is chased by  using  an  instance  of  the  ldap
       backend.   If operations are performed with an identity (i.e. after a bind), that identity
       can be asserted while chasing the referrals by means of the identity assertion feature  of
       back-ldap  (see  slapd-ldap(5)  for  details),  which  is essentially based on the proxied
       authorization control [RFC 4370].  Referral chasing can be controlled  by  the  client  by
       issuing the chaining control (see draft-sermersheim-ldap-chaining for details.)

       The  config  directives  that are specific to the chain overlay are prefixed by chain-, to
       avoid potential conflicts with directives specific to the underlying database or to  other
       stacked overlays.

       There  are  very few chain overlay specific directives; however, directives related to the
       instances of the ldap backend that may be  implicitly  instantiated  by  the  overlay  may
       assume  a  special meaning when used in conjunction with this overlay.  They are described
       in slapd-ldap(5), and they also need to be prefixed by chain-.

       Note: this overlay is built into the ldap backend; it is not a separate module.

       overlay chain
              This directive adds the chain overlay to the current backend.   The  chain  overlay
              may  be used with any backend, but it is mainly intended for use with local storage
              backends that may  return  referrals.   It  is  useless  in  conjunction  with  the
              slapd-ldap  and  slapd-meta  backends  because  they  already  exploit  the libldap
              specific referral chase feature.  [Note: this may change  in  the  future,  as  the
              ldap(5) and meta(5) backends might no longer chase referrals on their own.]

       chain-cache-uri {FALSE|true}
              This  directive instructs the chain overlay to cache connections to URIs parsed out
              of referrals that are not predefined, to be reused for later chaining.  These  URIs
              inherit  the  properties  configured  for  the  underlying slapd-ldap(5) before any
              occurrence of the chain-uri directive; basically, they are chained anonymously.

       chain-chaining [resolve=<r>] [continuation=<c>] [critical]
              This directive enables the chaining  control  (see  draft-sermersheim-ldap-chaining
              for  details)  with the desired resolve and continuation behaviors and criticality.
              The resolve parameter refers to the behavior while discovering a  resource,  namely
              when  accessing  the object indicated by the request DN; the continuation parameter
              refers to the behavior while  handling  intermediate  responses,  which  is  mostly
              significant  for  the  search  operation,  but  may affect extended operations that
              return intermediate responses.  The values r and c can be any of chainingPreferred,
              chainingRequired,  referralsPreferred,  referralsRequired.   If  the  critical flag
              affects the control criticality if provided.  [This control is experimental and its
              support may change in the future.]

       chain-max-depth <n>
              In  case  a referral is returned during referral chasing, further chasing occurs at
              most <n> levels deep.  Set to 1 (the default) to disable further referral chasing.

       chain-return-error {FALSE|true}
              In case referral chasing fails, the real error is returned instead of the  original
              referral.   In  case  multiple  referral  URIs are present, only the first error is
              returned.  This behavior  may  not  be  always  appropriate  nor  desirable,  since
              failures  in  referral  chasing  might  be better resolved by the client (e.g. when
              caused by distributed authentication issues).

       chain-uri <ldapuri>
              This directive instantiates a new underlying ldap database and instructs  it  about
              which   URI  to  contact  to  chase  referrals.   As  opposed  to  what  stated  in
              slapd-ldap(5), only one  URI  can  appear  after  this  directive;  all  subsequent
              slapd-ldap(5)  directives  prefixed  by chain- refer to this specific instance of a
              remote server.

       Directives for configuring the underlying ldap database may also be required, as shown  in
       this example:

              overlay                 chain
              chain-rebind-as-user    FALSE

              chain-uri               "ldap://"
              chain-rebind-as-user    TRUE
              chain-idassert-bind     bindmethod="simple"

              chain-uri               "ldap://"
              chain-idassert-bind     bindmethod="simple"

       Any  valid  directives  for  the ldap database may be used; see slapd-ldap(5) for details.
       Multiple occurrences of the chain-uri directive may appear, to define  multiple  "trusted"
       URIs  where  operations  with  identity assertion are chained.  All URIs not listed in the
       configuration are chained anonymously.  All slapd-ldap(5) directives appearing before  the
       first  occurrence  of  chain-uri are inherited by all URIs, unless specifically overridden
       inside each URI configuration.


              default slapd configuration file


       slapd.conf(5), slapd-config(5), slapd-ldap(5), slapd(8).


       Originally implemented by Howard Chu; extended by Pierangelo Masarati.