openldap/doc/guide/admin/referrals.sdf

147 lines
5.4 KiB
Plaintext
Raw Normal View History

1999-10-01 00:57:45 +08:00
# $OpenLDAP$
2012-01-01 23:07:45 +08:00
# Copyright 1999-2012 The OpenLDAP Foundation, All Rights Reserved.
1999-04-24 07:41:45 +08:00
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
2000-07-30 23:15:44 +08:00
H1: Constructing a Distributed Directory Service
For many sites, running one or more {{slapd}}(8) that hold an
entire subtree of data is sufficient. But often it is desirable
to have one {{slapd}} refer to other directory services for a
2000-07-30 23:15:44 +08:00
certain part of the tree (which may or may not be running {{slapd}}).
!if 0
{{slapd}} supports {{subordinate}}, {{immediate superior}},
and {{superior}} knowledge information.
!else
{{slapd}} supports {{subordinate}} and {{superior}} knowledge information.
2002-08-29 12:56:05 +08:00
Subordinate knowledge information is held in {{EX:referral}}
objects ({{REF:RFC3296}}).
2000-07-30 23:15:44 +08:00
!endif
H2: Subordinate Knowledge Information
Subordinate knowledge information may be provided to delegate
a subtree.
Subordinate knowledge information is maintained in the directory
as a special {{referral}} object at the delegate point.
2000-08-11 01:49:29 +08:00
The referral object acts as a delegation point, gluing two services
1999-04-24 07:00:44 +08:00
together.
2002-06-15 09:00:50 +08:00
This mechanism allows for hierarchical directory services to be
2000-07-30 23:15:44 +08:00
constructed.
A referral object has a structural object class of
2000-07-30 23:15:44 +08:00
{{EX:referral}} and has the same {{TERM[expand]DN}} as the
delegated subtree. Generally, the referral object will also
provide the auxiliary object class {{EX:extensibleObject}}.
This allows the entry to contain appropriate {{TERM[expand]RDN}}
values. This is best demonstrated by example.
If the server {{EX:a.example.net}} holds {{EX:dc=example,dc=net}}
and wished to delegate the subtree {{EX:ou=subtree,dc=example,dc=net}}
to another server {{EX:b.example.net}}, the following named referral
object would be added to {{EX:a.example.net}}:
2000-07-30 23:15:44 +08:00
> dn: dc=subtree,dc=example,dc=net
> objectClass: referral
> objectClass: extensibleObject
> dc: subtree
2001-06-13 04:57:19 +08:00
> ref: ldap://b.example.net/dc=subtree,dc=example,dc=net
2000-07-30 23:15:44 +08:00
The server uses this information to generate referrals and
search continuations to subordinate servers.
2006-12-10 09:29:13 +08:00
For those familiar with {{TERM:X.500}}, a {{named referral}} object is
2000-07-30 23:15:44 +08:00
similar to an X.500 knowledge reference held in a {{subr}}
{{TERM:DSE}}.
2000-07-30 23:15:44 +08:00
!if 0
H2: Immediate Superior Knowledge Information
Immediate superior knowledge information may be provided in the
entry at the root of a delegated subtree. The knowledge information
is contained with {{EX:ref}} operational attribute.
2000-07-30 23:15:44 +08:00
Extending the example above, a {{ref}} attribute can be added
to the entry {{EX:dc=subtree,dc=example,dc=net}} in server B indicating
that A holds the immediate superior naming context.
> dn: dc=subtree,dc=example,dc=net
> changetype: modify
> add: ref
> ref: ldap://a.example.net/
2000-07-30 23:15:44 +08:00
The server uses this information to generate referrals to
2000-08-08 12:33:28 +08:00
management operations.
2000-07-30 23:15:44 +08:00
2006-12-10 09:29:13 +08:00
For those familiar with {{TERM:X.500}}, this use of the {{EX:ref}}
attribute is similar to an X.500 knowledge reference held in a
2000-07-30 23:15:44 +08:00
{{immSupr}} {{TERM:DSE}}.
!endif
1999-04-24 07:00:44 +08:00
2000-07-30 23:15:44 +08:00
H2: Superior Knowledge Information
1999-04-24 07:00:44 +08:00
2002-08-29 12:56:05 +08:00
Superior knowledge information may be specified using the {{EX:referral}}
directive. The value is a list of {{TERM:URI}}s referring to
superior directory services. For servers without immediate superiors,
such as for {{EX:a.example.net}} in the example above, the server
can be configured to use a directory service with {{global knowledge}},
such as the {{OpenLDAP Root Service}}
2000-08-18 19:22:48 +08:00
({{URL:http://www.openldap.org/faq/index.cgi?file=393}}).
1999-04-24 07:00:44 +08:00
> referral ldap://root.openldap.org/
1999-04-24 07:00:44 +08:00
2000-07-30 23:15:44 +08:00
However, as {{EX:a.example.net}} is the {{immediate superior}}
2000-11-11 05:59:05 +08:00
to {{EX:b.example.net}}, {{b.example.net}} would be configured
2000-07-30 23:15:44 +08:00
as follows:
1999-04-24 07:00:44 +08:00
> referral ldap://a.example.net/
1999-04-24 07:00:44 +08:00
2006-12-10 09:29:13 +08:00
The server uses this information to generate referrals for operations
acting upon entries not within or subordinate to any of the naming
contexts held by the server.
1999-04-24 07:00:44 +08:00
2006-12-10 09:29:13 +08:00
For those familiar with {{TERM:X.500}}, this use of the {{EX:ref}}
attribute is similar to an X.500 knowledge reference held in a
2000-07-30 23:15:44 +08:00
{{Supr}} {{TERM:DSE}}.
2000-08-08 12:42:05 +08:00
H2: The ManageDsaIT Control
2000-08-08 12:42:05 +08:00
Adding, modifying, and deleting referral objects is generally done
using {{ldapmodify}}(1) or similar tools which support the ManageDsaIT
control. The ManageDsaIT control informs the server that you intend
to manage the referral object as a regular entry. This keeps the
server from sending a referral result for requests which interrogate
or update referral objects.
The ManageDsaIT control should not be specified when managing regular
entries.
The {{EX:-M}} option of {{ldapmodify}}(1) (and other tools) enables
2000-08-08 12:42:05 +08:00
ManageDsaIT. For example:
> ldapmodify -M -f referral.ldif -x -D "cn=Manager,dc=example,dc=net" -W
2000-08-08 12:42:05 +08:00
or with {{ldapsearch}}(1):
2000-08-08 12:42:05 +08:00
> ldapsearch -M -b "dc=example,dc=net" -x "(objectclass=referral)" '*' ref
2000-08-08 12:42:05 +08:00
Note: the {{EX:ref}} attribute is operational and must be explicitly
requested when desired in search results.
Note: the use of referrals to construct a Distributed Directory Service is
extremely clumsy and not well supported by common clients. If an existing
installation has already been built using referrals, the use of the
{{chain}} overlay to hide the referrals will greatly improve the usability
of the Directory system. A better approach would be to use explicitly
defined local and proxy databases in {{subordinate}} configurations to
provide a seamless view of the Distributed Directory.
Note: LDAP operations, even subtree searches, normally access only one
database. That can be changed by gluing databases together with the
{{B:subordinate}}/{{B:olcSubordinate}} keyword. Please see {{slapd.conf}}(5)
and {{slapd-config}}(5).