Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
SLAPO-CHAIN(5)		      File Formats Manual		SLAPO-CHAIN(5)

       slapo-chain - chain overlay to slapd


       The  chain  overlay to slapd(8) allows automatic	referral chasing.  Any
       time a referral is returned (except for bind operations), it is	chased
       by  using an instance of	the ldap backend.  If operations are performed
       with an identity	(i.e. after a bind), that  identity  can  be  asserted
       while  chasing the referrals by means of	the identity assertion feature
       of back-ldap (see slapd-ldap(5)	for  details),	which  is  essentially
       based  on the proxied authorization control [RFC	4370].	Referral chas-
       ing can be controlled by	the client by  issuing	the  chaining  control
       (see draft-sermersheim-ldap-chaining for	details.)

       The  config  directives that are	specific to the	chain overlay are pre-
       fixed by	chain-,	to avoid potential conflicts with directives  specific
       to the underlying database or to	other stacked overlays.

       There  are  very	few chain overlay specific directives; however,	direc-
       tives related to	the instances of the ldap backend that may be  implic-
       itly instantiated by the	overlay	may assume a special meaning when used
       in conjunction with this	overlay.  They are described in	slapd-ldap(5),
       and they	also need to be	prefixed by chain-.

       Note: this overlay is built into	the ldap backend; it is	not a separate

       overlay chain
	      This directive adds the chain overlay to	the  current  backend.
	      The chain	overlay	may be used with any backend, but it is	mainly
	      intended for use with local storage backends that	may return re-
	      ferrals.	 It  is	useless	in conjunction with the	slapd-ldap and
	      slapd-meta backends because they	already	 exploit  the  libldap
	      specific	referral chase feature.	 [Note:	this may change	in the
	      future, as the ldap(5) and  meta(5)  backends  might  no	longer
	      chase referrals on their own.]

       chain-cache-uri {FALSE|true}
	      This  directive instructs	the chain overlay to cache connections
	      to URIs parsed out of referrals that are not predefined,	to  be
	      reused  for  later  chaining.  These URIs	inherit	the properties
	      configured for the underlying slapd-ldap(5)  before  any	occur-
	      rence  of	 the  chain-uri	directive; basically, they are chained

       chain-chaining [resolve=<r>] [continuation=<c>] [critical]
	      This directive enables the chaining control  (see	 draft-sermer-
	      sheim-ldap-chaining  for	details)  with the desired resolve and
	      continuation behaviors and criticality.  The  resolve  parameter
	      refers to	the behavior while discovering a resource, namely when
	      accessing	the object indicated by	the request DN;	the  continua-
	      tion  parameter refers to	the behavior while handling intermedi-
	      ate responses, which is mostly significant for the search	opera-
	      tion,  but may affect extended operations	that return intermedi-
	      ate responses.  The values r and c can be	 any  of  chainingPre-
	      ferred, chainingRequired,	referralsPreferred, referralsRequired.
	      If the critical flag affects the	control	 criticality  if  pro-
	      vided.  [This control is experimental and	its support may	change
	      in the future.]

       chain-max-depth <n>
	      In case a	referral is returned during referral chasing,  further
	      chasing  occurs at most <n> levels deep.	Set to 1 (the default)
	      to disable further referral chasing.

       chain-return-error {FALSE|true}
	      In case referral chasing fails, the real error is	 returned  in-
	      stead  of	the original referral.	In case	multiple referral URIs
	      are present, only	the first error	is  returned.	This  behavior
	      may  not	be always appropriate nor desirable, since failures in
	      referral chasing might be	better resolved	by  the	 client	 (e.g.
	      when caused by distributed authentication	issues).

       chain-uri <ldapuri>
	      This  directive  instantiates a new underlying ldap database and
	      instructs	it about which URI to contact to chase referrals.   As
	      opposed to what stated in	slapd-ldap(5), only one	URI can	appear
	      after this directive; all	 subsequent  slapd-ldap(5)  directives
	      prefixed	by  chain- refer to this specific instance of a	remote

       Directives for configuring the underlying ldap database may also	be re-
       quired, as shown	in this	example:

	      overlay		      chain
	      chain-rebind-as-user    FALSE

	      chain-uri		      "ldap://"
	      chain-rebind-as-user    TRUE
	      chain-idassert-bind     bindmethod="simple"

	      chain-uri		      "ldap://"
	      chain-idassert-bind     bindmethod="simple"

       Any   valid   directives	 for  the  ldap	 database  may	be  used;  see
       slapd-ldap(5) for details.  Multiple occurrences	of the	chain-uri  di-
       rective	may appear, to define multiple "trusted" URIs where operations
       with identity assertion are chained.  All URIs not listed in  the  con-
       figuration  are	chained	anonymously.  All slapd-ldap(5)	directives ap-
       pearing before the first	occurrence of chain-uri	are inherited  by  all
       URIs, unless specifically overridden inside each	URI configuration.

	      default slapd configuration file

       slapd.conf(5), slapd-config(5), slapd-ldap(5), slapd(8).

       Originally implemented by Howard	Chu; extended by Pierangelo Masarati.

OpenLDAP 2.6.1			  2022/01/20			SLAPO-CHAIN(5)


Want to link to this manual page? Use this URL:

home | help