This document is a Mac OS X manual page. Manual pages are a command-line technology for providing documentation. You can view these manual pages locally using the man(1) command. These manual pages come from many different sources, and thus, have a variety of writing styles.

For more information about the manual page format, see the manual page for manpages(5).

SLAPO-CHAIN(5)                                                                                SLAPO-CHAIN(5)



NAME
       slapo-chain - chain overlay

SYNOPSIS
       /etc/openldap/slapd.conf

DESCRIPTION
       The  chain  overlay  to  slapd(8) allows automatic referral chasing.  Any time a referral is returned
       (except for bind operations), it chased by using an instance of the ldap backend.  If operations  are
       performed  with  an  identity  (i.e.  after  a bind), that identity can be asserted while chasing the
       referrals by means of the identity assertion feature of back-ldap (see  slapd-ldap(5)  for  details),
       which  is  essentially  based on the proxyAuthz control (see draft-weltman-ldapv3-proxy for details.)
       Referral chasing can be controlled by the client by issuing the chaining control  (see  draft-sermer-sheim-ldap-chaining draft-sermersheim-ldap-chaining
       sheim-ldap-chaining for details.)


       The  config directives that are specific to the chain overlay are prefixed by chain-, to avoid poten-tial potential
       tial conflicts with directives specific to the underlying database or to other stacked overlays.


       There are very few chain overlay specific directives; however, directives related to the instances of
       the ldap backend that may be implicitly instantiated by the overlay may assume a special meaning when
       used in conjunction with this overlay.  They are described in slapd-ldap(5), and they  also  need  be
       prefixed by chain-.

       overlay chain
              This  directive  adds the chain overlay to the current backend.  The chain overlay may be used
              with any backend, but it is mainly intended for use  with  local  storage  backends  that  may
              return  referrals.   It  is useless in conjunction with the slapd-ldap and slapd-meta backends
              because they already exploit the libldap specific referral chase  feature.   [Note:  this  may
              change  in  the future, as the ldap(5) and meta(5) backends might no longer chase referrals on
              their own.]

       chain-chaining [resolve=<r>] [continuation=<c>] [critical]
              This directive enables the chaining control (see draft-sermersheim-ldap-chaining for  details)
              with  the  desired  resolve and continuation behaviors and criticality.  The resolve parameter
              refers to the behavior while discovering a resource, namely when accessing  the  object  indi-cated indicated
              cated  by  the  request  DN;  the continuation parameter refers to the behavior while handling
              intermediate responses, which is mostly significant for the search operation, but  may  affect
              extended  operations  that  return  intermediate  responses.  The values r and c can be any of
              chainingPreferred, chainingRequired, referralsPreferred, referralsRequired.  If  the  critical
              flag  affects the control criticality if provided.  [This control is experimental and its sup-port support
              port may change in the future.]

       chain-cache-uri {FALSE|true}
              This directive instructs the chain overlay to cache connections to URIs parsed out  of  refer-rals referrals
              rals that are not predefined, to be reused for later chaining.  These URIs inherit the proper-ties properties
              ties configured for the underlying slapd-ldap(5) before any occurrence of the chain-uri direc-tive; directive;
              tive; in detail, they are essentially chained anonymously.

       chain-uri <ldapuri>
              This directive instantiates a new underlying ldap database and instructs it about which URI to
              contact to chase referrals.  As opposed to what stated in  slapd-ldap(5),  only  one  URI  can
              appear  after this directive; all subsequent slapd-ldap(5) directives prefixed by chain- refer
              to this specific instance of a remote server.


       Directives for configuring the underlying ldap database may also be required, as shown in this  exam-ple: example:
       ple:

              overlay                 chain
              chain-rebind-as-user    FALSE

              chain-uri               "ldap://ldap1.example.com"
              chain-rebind-as-user    TRUE
              chain-idassert-bind     bindmethod="simple"
                                      binddn="cn=Auth,dc=example,dc=com"
                                      credentials="secret"
                                      mode="self"

              chain-uri               "ldap://ldap2.example.com"
              chain-idassert-bind     bindmethod="simple"
                                      binddn="cn=Auth,dc=example,dc=com"
                                      credentials="secret"
                                      mode="none"


       Any  valid  directives  for  the  ldap database may be used; see slapd-ldap(5) for details.  Multiple
       occurrences of the chain-uri directive may appear, to define multiple "trusted" URIs where operations
       with  identity  assertion  are  chained.  All URIs not listed in the configuration are chained anony-mously. anonymously.
       mously.  All slapd-ldap(5) directives appearing before the first occurrence of chain-uri  are  inher-ited inherited
       ited by all URIs, unless specifically overridden inside each URI configuration.

FILES
       /etc/openldap/slapd.conf
              default slapd configuration file

SEE ALSO
       slapd.conf(5), slapd-ldap(5), slapd(8).

AUTHOR
       Originally implemented by Howard Chu; extended by Pierangelo Masarati.



OpenLDAP 2.3.27                                  2006/08/19                                   SLAPO-CHAIN(5)