Red Hat Summit2.4. Configuring Cascading Chaining
The database link can be configured to point to another database link, creating a cascading chaining operation. A cascading chain occurs any time more than one hop is required to access all of the data in a directory tree.
2.4.1. Overview of Cascading Chaining
Cascading chaining occurs when more than one hop is required for the directory to process a client application's request.
The client application sends a modify request to Server 1. Server one contains a database link that forwards the operation to Server 2, which contains another database link. The database link on Server 2 forwards the operations to server three, which contains the data the clients wants to modify in a database. Two hops are required to access the piece of data the client want to modify.
During a normal operation request, a client binds to the server, and then any ACIs applying to that client are evaluated. With cascading chaining, the client bind request is evaluated on Server 1, but the ACIs applying to the client are evaluated only after the request has been chained to the destination server, in the above example Server 2.
For example, on Server A, a directory tree is split:
The root suffix
dc=example,dc=com and ou=people and ou=groups sub-suffixes are stored on Server A. The ou=europe,dc=example,dc=com and ou=groups suffixes are stored in on Server B, and the ou=people branch of the ou=europe,dc=example,dc=com suffix is stored on Server C.
With cascading configured on servers A, B, and C, a client request targeted at the
ou=people,ou=europe,dc=example,dc=com entry would be routed by the directory as follows:
First, the client binds to Server A and chains to Server B using Database Link 1. Then Server B chains to the target database on Server C using Database Link 2 to access the data in the
ou=people,ou=europe,dc=example,dc=com branch. Because at least two hops are required for the directory to service the client request, this is considered a cascading chain.
2.4.2. Configuring Cascading Chaining Using the Command Line
This section provides an example of how to configure cascading chaining with three servers as shown in the following diagram:
Configuration Steps on Server 1
- Create the suffix
c=africa,ou=people,dc=example,dc=com:# dsconf -D "cn=Directory Manager" ldap://server1.example.com backend create --parent-suffix="ou=people,dc=example,dc=com" --suffix="c=africa,ou=people,dc=example,dc=com"
- Create the
DBLink1database link:# dsconf -D "cn=Directory Manager" ldap://server1.example.com chaining link-create --suffix="c=africa,ou=people,dc=example,dc=com" --server-url="ldap://africa.example.com:389/" --bind-mech="" --bind-dn="cn=server1 proxy admin,cn=config" --bind-pw="password" --check-aci="off" "DBLink1"
- Enable loop detection:
# dsconf -D "cn=Directory Manager" ldap://server1.example.com chaining config-set --add-control="1.3.6.1.4.1.1466.29539.12"
Configuration Steps on Server 2
- Create a proxy administrative user on server 2 for server 1 to use for proxy authorization:
# ldapadd -D "cn=Directory Manager" -W -p 389 -h server2.example.com -x dn: cn=server1 proxy admin,cn=config objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: server1 proxy admin sn: server1 proxy admin userPassword: password description: Entry for use by database links
Important
For security reasons, do not use thecn=Directory Manageraccount. - Create the suffix
ou=Zanzibar,c=africa,ou=people,dc=example,dc=com:# dsconf -D "cn=Directory Manager" ldap://server2.example.com backend create --parent-suffix="c=africaou=people,dc=example,dc=com" --suffix="ou=Zanzibar,c=africa,ou=people,dc=example,dc=com"
- Create the
DBLink2database link:# dsconf -D "cn=Directory Manager" ldap://server2.example.com chaining link-create --suffix="ou=Zanzibar,c=africa,ou=people,dc=example,dc=com" --server-url="ldap://zanz.africa.example.com:389/" --bind-mech="" --bind-dn="server2 proxy admin,cn=config" --bind-pw="password" --check-aci="on "DBLink2"
Because theDBLink2link is the intermediate database link in the cascading chaining configuration, enable the ACL check to allow the server to check whether it should allow the client and proxy administrative user access to the database link. - Enable loop detection:
# dsconf -D "cn=Directory Manager" ldap://server2.example.com chaining config-set --add-control="1.3.6.1.4.1.1466.29539.12"
- Enable the proxy authorization control:
# dsconf -D "cn=Directory Manager" ldap://server2.example.com chaining config-set --add-control="2.16.840.1.113730.3.4.12"
- Add the local proxy authorization ACI:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server2.example.com -x dn: c=africa,ou=people,dc=example,dc=com changetype: modify add: aci aci:(targetattr="*")(target="lou=Zanzibar,c=africa,ou=people,dc=example,dc=com") (version 3.0; acl "Proxied authorization for database links"; allow (proxy) userdn = "ldap:///cn=server1 proxy admin,cn=config";) - Add an ACI that enables users in
c=us,ou=people,dc=example,dc=comon server 1 who have auidattribute set, to perform any type of operation on theou=Zanzibar,c=africa,ou=people,dc=example,dc=comsuffix tree on server 3:# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server2.example.com -x dn: c=africa,ou=people,dc=example,dc=com changetype: modify add: aci aci:(targetattr="*")(target="ou=Zanzibar,c=africa,ou=people,dc=example,dc=com") (version 3.0; acl "Client authorization for database links"; allow (all) userdn = "ldap:///uid=*,c=us,ou=people,dc=example,dc=com";)If there are users on server 3 under a different suffix that will require additional rights on server 3, it is necessary to add additional client ACIs on server 2.
Configuration Steps on Server 3
- Create a proxy administrative user on server 3 for server 2 to use for proxy authorization:
# ldapadd -D "cn=Directory Manager" -W -p 389 -h server3.example.com -x dn: cn=server2 proxy admin,cn=config objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: server2 proxy admin sn: server2 proxy admin userPassword: password description: Entry for use by database links
Important
For security reasons, do not use thecn=Directory Manageraccount. - Add the local proxy authorization ACI:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server3.example.com -x dn: ou=Zanzibar,ou=people,dc=example,dc=com changetype: modify add: aci aci: (targetattr = "*")(version 3.0; acl "Proxied authorization for database links"; allow (proxy) userdn = "ldap:///cn=server2 proxy admin,cn=config";) - Add an ACI that enables users in
c=us,ou=people,dc=example,dc=comon server 1 who have auidattribute set, to perform any type of operation on theou=Zanzibar,c=africa,ou=people,dc=example,dc=comsuffix tree on server 3:# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server3.example.com -x dn: ou=Zanzibar,ou=people,dc=example,dc=com changetype: modify add: aci aci: (targetattr ="*")(target="ou=Zanzibar,c=africa,ou=people,dc=example,dc=com") (version 3.0; acl "Client authentication for database link users"; allow (all) userdn = "ldap:///uid=*,c=us,ou=people,dc=example,dc=com";)If there are users on server 3 under a different suffix that will require additional rights on server 3, it is necessary to add additional client ACIs on server 2.
The cascading chaining configuration is now set up. This cascading configuration enables a user to bind to server 1 and modify information in the
ou=Zanzibar,c=africa,ou=people,dc=example,dc=com branch on server 3. Depending on your security needs, it can be necessary to provide more detailed access control.
2.4.3. Detecting Loops
An LDAP control included with Directory Server prevents loops. When first attempting to chain, the server sets this control to the maximum number of hops, or chaining connections, allowed. Each subsequent server decrements the count. If a server receives a count of
0, it determines that a loop has been detected and notifies the client application.
To use the control, add the
1.3.6.1.4.1.1466.29539.12 OID. For details about adding an LDAP control, see Section 2.3.2.2, “Chaining LDAP Controls”. If the control is not present in the configuration file of each database link, loop detection will not be implemented.
The number of hops allowed is defined using the
nsHopLimit parameter. By default, the parameter is set to 10. For example, to set the hop limit of the example chain to 5:
# dsconf -D "cn=Directory Manager" ldap://server.example.com chaining link-set --hop-limit 5 example
