openldap/doc/guide/admin/referrals.sdf

118 lines
4.2 KiB
Plaintext
Raw Normal View History

1999-10-01 00:57:45 +08:00
# $OpenLDAP$
2000-07-23 02:59:40 +08:00
# Copyright 1999-2000, The OpenLDAP Foundation, All Rights Reserved.
1999-04-24 07:41:45 +08:00
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
2000-07-30 23:15:44 +08:00
H1: Constructing a Distributed Directory Service
For many sites, running one or more {{slapd}}(8) that hold an
entire subtree of data is sufficient. But often it is desirable
to have one {{slapd}}} refer to other directory services for a
certain part of the tree (which may or may not be running {{slapd}}).
!if 0
{{slapd}} supports {{subordinate}}, {{immediate superior}},
and {{superior}} knowledge information.
!else
{{slapd}} supports {{subordinate}} and {{superior}} knowledge information.
!endif
H2: Subordinate Knowledge Information
Subordinate knowledge information may be provided to delegate
a subtree.
Subordinate knowledge information is maintained in the directory
as a special {{referral}} object at the delegate point.
The referral object acts as a delegation point, gluing two servcies
1999-04-24 07:00:44 +08:00
together.
2000-07-30 23:15:44 +08:00
This mechanism allows for hierarchial directory services to to be
constructed.
A referral object has an structural object class of
{{EX:referral}} and has the same {{TERM[expand]DN}} as the
delegated subtree. Generally, the referral object will also
provide the auxiliary object class {{EX:extensibleObject}}.
This allows the entry to contain appropriate {{TERM[expand]RDN}}
values. This is best demonstrated by example.
If the server {{EX:a.example.net}} holds {{EX:dc=example,dc=net}}
and wished to delegate the subtree {{EX:ou=subtree,dc=example,dc=net}}
to another server {{EX:b.example.net}}, the following named referral
object would be added to {{a.example.net}}:
E: dn: dc=subtree, dc=example, dc=net
E: objectClass: referral
E: objectClass: extensibleObject
2000-08-08 10:17:25 +08:00
E: dc: subtree
2000-07-30 23:15:44 +08:00
E: ref: ldap://b.example.net/dc=subtree,dc=example,dc=net/
2000-08-08 12:33:28 +08:00
Adding, modify, and deleting referral objects is generally done
using {{ldapmodify}}(1) or similiar tools which support the
ManageDsaIT control. The ManageDsaIT control informs the server
that you intend to manage the referral object as a regular
entry. This keeps the server from sending a referral result
for requests to updating referral objects. The -M option of
{{ldapmodify}}(1) (and other tools) enables ManageDsaIT. For
example:
E: ldapmodify -M -f referral.ldif -x -D "cn=Manager,dc=example,dc=net" -W
2000-07-30 23:15:44 +08:00
The server uses this information to generate referrals and
search continuations to subordinate servers.
For those familiar with X.500, a {{named referral}} object is
similar to an X.500 knowledge reference held in a {{subr}}
{{TERM:DSE}}.
!if 0
H2: Immediate Superior Knowledge Information
Immediate superior knowledge information may be provided in the
entry at the root of a delegated subtree. The knowledge information
is contained with {{ref}} operational attribute.
Extending the example above, a {{ref}} attribute can be added
to the entry {{EX:dc=subtree,dc=example,dc=net}} in server B indicating
that A holds the immediate superior naming context.
E: dn: dc=subtree, dc=example, dc=net
E: changetype: modify
E: add: ref
E: ref: ldap://a.example.net/
The server uses this information to generate referrals to
2000-08-08 12:33:28 +08:00
management operations.
2000-07-30 23:15:44 +08:00
For those familiar with X.500, this use of the {{ref}} attribute
is similar to an X.500 knowledge reference held in a
{{immSupr}} {{TERM:DSE}}.
!endif
1999-04-24 07:00:44 +08:00
2000-07-30 23:15:44 +08:00
H2: Superior Knowledge Information
1999-04-24 07:00:44 +08:00
2000-07-30 23:15:44 +08:00
Superior knowledge information may be specified using the
{{EX:referral}} directive. The value is a list of {{TERM:URI}}s
referring to superior directory services. For servers
without immediate superiors, such as for {{EX:a.example.net}}
in the example above, the server can be configured to use
directory service with {{global knowledge}}, such as the
OpenLDAP Root Service.
1999-04-24 07:00:44 +08:00
2000-07-30 23:15:44 +08:00
E: referral ldap://root.openldap.org/
1999-04-24 07:00:44 +08:00
2000-07-30 23:15:44 +08:00
However, as {{EX:a.example.net}} is the {{immediate superior}}
to {{EX:b.example.net}}, {{a.example.net}} would be configured
as follows:
1999-04-24 07:00:44 +08:00
2000-07-30 23:15:44 +08:00
E: referral ldap://a.example.net/
1999-04-24 07:00:44 +08:00
2000-07-30 23:15:44 +08:00
The server uses this information to generate referrals to
operations acting upon operations not within or subordinate
to any of the naming contexts held by the server.
1999-04-24 07:00:44 +08:00
2000-07-30 23:15:44 +08:00
For those familiar with X.500, this use of the {{ref}} attribute
is similar to an X.500 knowledge reference held in a
{{Supr}} {{TERM:DSE}}.