Newbie: LDAP Chaining... a little help?

General Discussion about LDAP Administrator

Moderator: Support

Newbie: LDAP Chaining... a little help?

Postby logicmason » Tue Nov 07, 2006 11:29 am

Hi All,

I have been assigned a task to chain requests from a single LDAP node to another server, but am finding the Sun ONE documentation quite hard to follow. Can someone please help if they have had to do this at some point in the past? I will need to do this via command line only.

The scenario is this:
---------------------

LDAP server 1 (ldap://111.111.111.111:389):

dc=server1,dc=myplace,dc=com
|
|--> cn=Directory Administrators
|--> ou=Apps
|--> ou=Groups
|--> ou=People
|--> ou=Special Users
|--> ou=Systems


LDAP server 2 (ldap://222.222.222.222:389):

dc=server2,dc=myplace,dc=com
|
|--> cn=Directory Administrators
|--> ou=Apps
|--> ou=Groups
|--> ou=People
|--> ou=Special Users
|--> ou=Systems

What I am trying to accomplish is to chain queries on the "ou=People" node on server1 to the "ou=People" node on server2.

This seems to me like pretty much the most basic test case for this functionality, but seems hard to figure out from the docs (though I fully accept that it could just be me, and not the docs!)

So, here is what I think I need to do:
(NOTE: I AM ASSUMING ALL THESE COMMANDS WILL BE RUN ON server1, THE SERVER FROM WHICH THE CHAINING WILL BE DONE!)


1) Create a proxy identity (on server1):
----------------------------------------


ldapmodify -a -h 222.222.222.222 -p 389 -D "uid=admin,ou=administrators,ou=topologymanagement,o=NetscapeRoot" -w admin
dn: uid=server1_proxy,cn=config
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
uid: server1_proxy
cn: server1 chaining proxy
sn: server1
userpassword: ***is this an existing password?***
description: proxy entry to be used for chaining from server1


2) Set default chaining Parameters:
-----------------------------------


ldapmodify -h 111.111.111.111 -p 389 -D "uid=admin,ou=administrators,ou=topologymanagement,o=NetscapeRoot" -w admin
dn: cn=default instance config,cn=chaining database,
cn=plugins,cn=config
changetype: modify
replace: nsslapd-sizelimit
nsslapd-sizelimit: 5000
-
replace: nsslapd-timelimit
nsslapd-timelimit: 600

***In the "dn:" field here, what do I need to put here?
I am assuming that "default instance config" and "chaining database" need to be replaced by some concrete values?***


3) Create chained suffix:
-------------------------


ldapmodify -a -h 111.111.111.111 -p 389 -D "uid=admin,ou=administrators,ou=topologymanagement,o=NetscapeRoot" -w admin
dn: cn=People,cn=mapping tree,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsMappingTree
cn: People
nsslapd-state: backend
nsslapd-backend: databaseName ***What is this?***

***This is really what I am most unsure about.
Are the "dn:" and "cn:" fields correct for what I am trying to do?
And how do I find out what to put in for "nsslapd-backend:", i.e. what is databaseName?***


4) Create the chaining configuration entry:
-------------------------------------------


ldapmodify -h 111.111.111.111 -p 389 -D "uid=admin,ou=administrators,ou=topologymanagement,o=NetscapeRoot" -w admin
dn: cn=databaseName,cn=chaining database,cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsBackendInstance
cn: databaseName ***???***
nsslapd-suffix: ou=People ***???***
nsfarmserverurl: ldap://222.222.222.222:389 ***???***
nsmultiplexorbinddn: server1_proxy ***???***
nsmultiplexorcredentials: admin ***???***

*** Quite unsure about this one too... lots of values I'm not sure what they should be, see ***???*** above***


5) Create an ACI on the remote entry:
-------------------------------------


ldapmodify -h 222.222.222.222 -p 389 -D "uid=admin,ou=administrators,ou=topologymanagement,o=NetscapeRoot" -w admin
dn: ou=People ***???***
changetype: modify
add: aci
aci: (targetattr=*)(target = "ldap:///111.111.111.111:389")(version 3.0;acl
"Allows use of admin for chaining"; allow (proxy)
(userdn="ldap:///222.222.222.222:389");)

**I think my "ldap:///" and "dn:" values could be wrong here***




The access control will also need to be configured after these steps are completed, but I'll jump off that bridge when I come to it.

Any help on this is very greatly appreciated, I think I need a master's help on this one!

Thanks,
LM.
logicmason
 
Posts: 2
Joined: Tue Nov 07, 2006 11:23 am

Postby logicmason » Tue Nov 07, 2006 4:31 pm

I managed to hammer out all the problems described here.

See the same post on the SUN forums where I included all my findings:

http://forum.sun.com/jive/thread.jspa?t ... 8&tstart=0
logicmason
 
Posts: 2
Joined: Tue Nov 07, 2006 11:23 am


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 0 guests