1 .TH SLAPO-CHAIN 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2017 The OpenLDAP Foundation, All Rights Reserved.
3 .\" Copying restrictions apply. See the COPYRIGHT file.
6 slapo\-chain \- chain overlay to slapd
14 allows automatic referral chasing.
15 Any time a referral is returned (except for bind operations),
16 it is chased by using an instance of the ldap backend.
17 If operations are performed with an identity (i.e. after a bind),
18 that identity can be asserted while chasing the referrals
19 by means of the \fIidentity assertion\fP feature of back-ldap
22 for details), which is essentially based on the
23 .B proxied authorization
25 Referral chasing can be controlled by the client by issuing the
26 \fBchaining\fP control
27 (see \fIdraft-sermersheim-ldap-chaining\fP for details.)
30 The config directives that are specific to the
32 overlay are prefixed by
34 to avoid potential conflicts with directives specific to the underlying
35 database or to other stacked overlays.
38 There are very few chain overlay specific directives; however, directives
39 related to the instances of the \fIldap\fP backend that may be implicitly
40 instantiated by the overlay may assume a special meaning when used
41 in conjunction with this overlay. They are described in
43 and they also need to be prefixed by
46 Note: this overlay is built into the \fIldap\fP backend; it is not
51 This directive adds the chain overlay to the current backend.
52 The chain overlay may be used with any backend, but it is mainly
53 intended for use with local storage backends that may return referrals.
54 It is useless in conjunction with the \fIslapd\-ldap\fP and \fIslapd\-meta\fP
55 backends because they already exploit the libldap specific referral chase
57 [Note: this may change in the future, as the \fBldap\fP(5) and
58 \fBmeta\fP(5) backends might no longer chase referrals on their own.]
60 .B chain\-cache\-uri {FALSE|true}
61 This directive instructs the \fIchain\fP overlay to cache
62 connections to URIs parsed out of referrals that are not predefined,
63 to be reused for later chaining.
64 These URIs inherit the properties configured for the underlying
65 \fBslapd\-ldap\fP(5) before any occurrence of the \fBchain\-uri\fP
66 directive; basically, they are chained anonymously.
68 .B chain\-chaining [resolve=<r>] [continuation=<c>] [critical]
69 This directive enables the \fIchaining\fP control
70 (see \fIdraft-sermersheim-ldap-chaining\fP for details)
71 with the desired resolve and continuation behaviors and criticality.
72 The \fBresolve\fP parameter refers to the behavior while discovering
73 a resource, namely when accessing the object indicated by the request DN;
74 the \fBcontinuation\fP parameter refers to the behavior while handling
75 intermediate responses, which is mostly significant for the search
76 operation, but may affect extended operations that return intermediate
78 The values \fBr\fP and \fBc\fP can be any of
79 .BR chainingPreferred ,
80 .BR chainingRequired ,
81 .BR referralsPreferred ,
82 .BR referralsRequired .
83 If the \fBcritical\fP flag affects the control criticality if provided.
84 [This control is experimental and its support may change in the future.]
86 .B chain\-max\-depth <n>
87 In case a referral is returned during referral chasing, further chasing
88 occurs at most \fB<n>\fP levels deep. Set to \fB1\fP (the default)
89 to disable further referral chasing.
91 .B chain\-return\-error {FALSE|true}
92 In case referral chasing fails, the real error is returned instead
93 of the original referral. In case multiple referral URIs are present,
94 only the first error is returned. This behavior may not be always
95 appropriate nor desirable, since failures in referral chasing might be
96 better resolved by the client (e.g. when caused by distributed
97 authentication issues).
99 .B chain\-uri <ldapuri>
100 This directive instantiates a new underlying \fIldap\fP database
101 and instructs it about which URI to contact to chase referrals.
102 As opposed to what stated in \fBslapd\-ldap\fP(5), only one URI
103 can appear after this directive; all subsequent \fBslapd\-ldap\fP(5)
104 directives prefixed by \fBchain\-\fP refer to this specific instance
108 Directives for configuring the underlying ldap database may also
109 be required, as shown in this example:
114 chain\-rebind\-as\-user FALSE
116 chain\-uri "ldap://ldap1.example.com"
117 chain\-rebind\-as\-user TRUE
118 chain\-idassert\-bind bindmethod="simple"
119 binddn="cn=Auth,dc=example,dc=com"
123 chain\-uri "ldap://ldap2.example.com"
124 chain\-idassert\-bind bindmethod="simple"
125 binddn="cn=Auth,dc=example,dc=com"
132 Any valid directives for the ldap database may be used; see
135 Multiple occurrences of the \fBchain\-uri\fP directive may appear,
136 to define multiple "trusted" URIs where operations with
137 \fIidentity assertion\fP are chained.
138 All URIs not listed in the configuration are chained anonymously.
139 All \fBslapd\-ldap\fP(5) directives appearing before the first
140 occurrence of \fBchain\-uri\fP are inherited by all URIs,
141 unless specifically overridden inside each URI configuration.
145 default slapd configuration file
148 .BR slapd\-config (5),
152 Originally implemented by Howard Chu; extended by Pierangelo Masarati.