SLAPO-CHAIN(5) File Formats Manual SLAPO-CHAIN(5)
NAME
slapo-chain - chain overlay to slapd
SYNOPSIS
/etc/ldap/slapd.conf
DESCRIPTION
The chain overlay to slapd(8) allows automatic referral chasing. Any
time a referral is returned (except for bind operations), it is chased
by using an instance of the ldap backend. If operations are performed
with an identity (i.e. after a bind), that identity can be asserted
while chasing the referrals by means of the identity assertion feature
of back-ldap (see slapd-ldap(5) for details), which is essentially based
on the proxied authorization control [RFC 4370]. Referral chasing can
be controlled by the client by issuing the chaining control (see draft-
sermersheim-ldap-chaining for details.)
The config directives that are specific to the chain overlay are pre-
fixed by chain-, to avoid potential conflicts with directives specific
to the underlying database or to other stacked overlays.
There are very few chain overlay specific directives; however, direc-
tives related to the instances of the ldap backend that may be implic-
itly instantiated by the overlay may assume a special meaning when used
in conjunction with this overlay. They are described in slapd-ldap(5),
and they also need to be prefixed by chain-.
Note: this overlay is built into the ldap backend; it is not a separate
module.
overlay chain
This directive adds the chain overlay to the current backend.
The chain overlay may be used with any backend, but it is mainly
intended for use with local storage backends that may return re-
ferrals. It is useless in conjunction with the slapd-ldap and
slapd-meta backends because they already exploit the libldap spe-
cific referral chase feature. [Note: this may change in the fu-
ture, as the ldap(5) and meta(5) backends might no longer chase
referrals on their own.]
chain-cache-uri {FALSE|true}
This directive instructs the chain overlay to cache connections
to URIs parsed out of referrals that are not predefined, to be
reused for later chaining. These URIs inherit the properties
configured for the underlying slapd-ldap(5) before any occurrence
of the chain-uri directive; basically, they are chained anony-
mously.
chain-chaining [resolve=<r>] [continuation=<c>] [critical]
This directive enables the chaining control (see draft-sermer-
sheim-ldap-chaining for details) with the desired resolve and
continuation behaviors and criticality. The resolve parameter
refers to the behavior while discovering a resource, namely when
accessing the object indicated by the request DN; the continua-
tion parameter refers to the behavior while handling intermediate
responses, which is mostly significant for the search operation,
but may affect extended operations that return intermediate re-
sponses. The values r and c can be any of chainingPreferred,
chainingRequired, referralsPreferred, referralsRequired. If the
critical flag affects the control criticality if provided. [This
control is experimental and its support may change in the fu-
ture.]
chain-max-depth <n>
In case a referral is returned during referral chasing, further
chasing occurs at most <n> levels deep. Set to 1 (the default)
to disable further referral chasing.
chain-return-error {FALSE|true}
In case referral chasing fails, the real error is returned in-
stead of the original referral. In case multiple referral URIs
are present, only the first error is returned. This behavior may
not be always appropriate nor desirable, since failures in refer-
ral chasing might be better resolved by the client (e.g. when
caused by distributed authentication issues).
chain-uri <ldapuri>
This directive instantiates a new underlying ldap database and
instructs it about which URI to contact to chase referrals. As
opposed to what stated in slapd-ldap(5), only one URI can appear
after this directive; all subsequent slapd-ldap(5) directives
prefixed by chain- refer to this specific instance of a remote
server.
Directives for configuring the underlying ldap database may also be re-
quired, as shown in this example:
overlay chain
chain-rebind-as-user FALSE
chain-uri "ldap://ldap1.example.com"
chain-rebind-as-user TRUE
chain-idassert-bind bindmethod="simple"
binddn="cn=Auth,dc=example,dc=com"
credentials="secret"
mode="self"
chain-uri "ldap://ldap2.example.com"
chain-idassert-bind bindmethod="simple"
binddn="cn=Auth,dc=example,dc=com"
credentials="secret"
mode="none"
Any valid directives for the ldap database may be used; see
slapd-ldap(5) for details. Multiple occurrences of the chain-uri direc-
tive may appear, to define multiple "trusted" URIs where operations with
identity assertion are chained. All URIs not listed in the configura-
tion are chained anonymously. All slapd-ldap(5) directives appearing
before the first occurrence of chain-uri are inherited by all URIs, un-
less specifically overridden inside each URI configuration.
FILES
/etc/ldap/slapd.conf
default slapd configuration file
SEE ALSO
slapd.conf(5), slapd-config(5), slapd-ldap(5), slapd(8).
AUTHOR
Originally implemented by Howard Chu; extended by Pierangelo Masarati.
OpenLDAP 2.6.10+dfsg-1 2025/05/22 SLAPO-CHAIN(5)
Generated by dwww version 1.16 on Tue Dec 16 04:46:52 CET 2025.