Linking apacheDS with another LDAP server

["Mittal, Nitin (US - Mumbai)" <ni...@deloitte.com>]

Hello,

I am new to use of LDAP servers.
Is it possible to link two LDAP servers in a way that my client doent need to search both of them.

My Requirement :-
I have two LDAP servers. A user account information can be in either one of them.
I don't want my client to be aware of all LDAP servers which it should search, in order to find the user.
The client should only be aware of one LDAP server as the base server which it is supposed to query, however, if the user is not found
in this base server, the search should automatically be extended to the other LDAP and returns success if the user is found there.

Is it possible to configure ApacheDS like this with any other LDAP server ?



thanks,

Nitin Mittal
Technology Integration
Deloitte Consulting Offshore Technology Group 


This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, you should delete this message. 


Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. [v.E.1]

RE: Linking apacheDS with another LDAP server

["Mittal, Nitin (US - Mumbai)" <ni...@deloitte.com>]

Hi,

I have now understood the concept of referrals and chasing,
However I am struggling with creating a referral entry in my apacheDS
DIT,
because the documentation for creating referrals is still not available
on apacheDS website (maybe I can contribute something if I can get this
working)

1.))  I created an entry with following classes :- top, extensibleObject
and referral 
However I am not sure about the format of value string for attribute
'ref'
I tried following formats :-

ldap://remoteserver:10389
ldap:remoteserver:10389
Remoteserver:10389

But looks like nothing works. 
Can you please help me with the format of this information or point me
to an available documentation on creating referral entry using
LDAPStudio.

2.)) One more question here :- If a correct referral entry is made into
the DIT, Will the LDAP browser show me the children of the remote
context there itself or not ? (I am using LDAPStudio browser)

3.)) Do I need to turn this referral feature on somehow before working
on this ?



thanks,

Nitin Mittal
Technology Integration
Deloitte Consulting Offshore Technology Group
Tel: +91 22 6644-5745 (Direct)
Tel: +91 9323624353 (Mobile)
Tel: +91 22 6644-5000 (Main)

-----Original Message-----
From: Alex Karasulu [mailto:akarasulu@apache.org] 
Sent: Thursday, October 11, 2007 10:34 PM
To: users@directory.apache.org
Subject: Re: Linking apacheDS with another LDAP server

I think there is also a referral chaining control out there somewhere or
at
least some discussion about it.
With referrals you still have to chase the referral: one server tells
you
that you have to contact another
server.  With this chaining control the original server you contacted
(foo)
will go out and do the search for
the client on bar server.  The results are returned to your client as if
all
the entries came from foo server.

I guess this is the silver bullet that you're looking for.  But some
clients
like JNDI can automatically
chase referrals I think (don't quote me here) so your client code which
uses
it does not have to have
this logic.  So Stefan's remarks below are right on the money.  In
addition
just check to see if JNDI
can do automatic referral chasing for you.

Alex

On 10/11/07, Stefan Zoerner <st...@labeo.de> wrote:
>
> The search term "referral" should help. It is a general LDAP concept
for
> the requirement you describe, and it is supported (among others) by
> ApacheDS.
>
> See for instance here for a very brief explanation
> http://ldapadministrator.com/resources/english/help/la331/ch05s05.html
> or give Google a try (so did I for the link above).
>
> Greetings from Nuremberg,
>      Stefan
>
> 


This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, you should delete this message. 


Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. [v.E.1]

Re: Linking apacheDS with another LDAP server

[Alex Karasulu <ak...@apache.org>]

I think there is also a referral chaining control out there somewhere or at
least some discussion about it.
With referrals you still have to chase the referral: one server tells you
that you have to contact another
server.  With this chaining control the original server you contacted (foo)
will go out and do the search for
the client on bar server.  The results are returned to your client as if all
the entries came from foo server.

I guess this is the silver bullet that you're looking for.  But some clients
like JNDI can automatically
chase referrals I think (don't quote me here) so your client code which uses
it does not have to have
this logic.  So Stefan's remarks below are right on the money.  In addition
just check to see if JNDI
can do automatic referral chasing for you.

Alex

On 10/11/07, Stefan Zoerner <st...@labeo.de> wrote:
>
> The search term "referral" should help. It is a general LDAP concept for
> the requirement you describe, and it is supported (among others) by
> ApacheDS.
>
> See for instance here for a very brief explanation
> http://ldapadministrator.com/resources/english/help/la331/ch05s05.html
> or give Google a try (so did I for the link above).
>
> Greetings from Nuremberg,
>      Stefan
>
>

Re: Linking apacheDS with another LDAP server

[Stefan Zoerner <st...@labeo.de>]

Emmanuel Lecharny wrote:

> for such generic LDAP question, I would redirect you to some good LDAP books :
> http://www.amazon.com/LDAP-System-Administration-Gerald-Carter/dp/1565924916
> or
> http://www.amazon.com/Understanding-Deploying-LDAP-Directory-Services/dp/0672323168/ref=pd_sim_b_2/002-2562815-8009610
> 
> because the answer could be way to long by mail.

The search term "referral" should help. It is a general LDAP concept for 
the requirement you describe, and it is supported (among others) by 
ApacheDS.

See for instance here for a very brief explanation
http://ldapadministrator.com/resources/english/help/la331/ch05s05.html
or give Google a try (so did I for the link above).

Greetings from Nuremberg,
     Stefan

Re: Linking apacheDS with another LDAP server

[Emmanuel Lecharny <el...@gmail.com>]

Hi Mittal,

for such generic LDAP question, I would redirect you to some good LDAP books :
http://www.amazon.com/LDAP-System-Administration-Gerald-Carter/dp/1565924916
or
http://www.amazon.com/Understanding-Deploying-LDAP-Directory-Services/dp/0672323168/ref=pd_sim_b_2/002-2562815-8009610

because the answer could be way to long by mail.

Thanks for your interest !

On 10/11/07, Mittal, Nitin (US - Mumbai) <ni...@deloitte.com> wrote:
> Hello,
>
> I am new to use of LDAP servers.
> Is it possible to link two LDAP servers in a way that my client doent need to search both of them.
>
> My Requirement :-
> I have two LDAP servers. A user account information can be in either one of them.
> I don't want my client to be aware of all LDAP servers which it should search, in order to find the user.
> The client should only be aware of one LDAP server as the base server which it is supposed to query, however, if the user is not found
> in this base server, the search should automatically be extended to the other LDAP and returns success if the user is found there.
>
> Is it possible to configure ApacheDS like this with any other LDAP server ?
>
>
>
> thanks,
>
> Nitin Mittal
> Technology Integration
> Deloitte Consulting Offshore Technology Group
>
>
> This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, you should delete this message.
>
>
> Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. [v.E.1]
>


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com