Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
2.4. Configuring Cascading Chaining
The database link can be configured to point to another database link, creating a cascading chaining operation. A cascading chain occurs any time more than one hop is required to access all of the data in a directory tree.
2.4.1. Overview of Cascading Chaining
Copia collegamentoCollegamento copiato negli appunti!
Cascading chaining occurs when more than one hop is required for the directory to process a client application's request.
The client application sends a modify request to Server 1. Server one contains a database link that forwards the operation to Server 2, which contains another database link. The database link on Server 2 forwards the operations to server three, which contains the data the clients wants to modify in a database. Two hops are required to access the piece of data the client want to modify.
During a normal operation request, a client binds to the server, and then any ACIs applying to that client are evaluated. With cascading chaining, the client bind request is evaluated on Server 1, but the ACIs applying to the client are evaluated only after the request has been chained to the destination server, in the above example Server 2.
For example, on Server A, a directory tree is split:
The root suffix
dc=example,dc=com and ou=people and ou=groups sub-suffixes are stored on Server A. The ou=europe,dc=example,dc=com and ou=groups suffixes are stored in on Server B, and the ou=people branch of the ou=europe,dc=example,dc=com suffix is stored on Server C.
With cascading configured on servers A, B, and C, a client request targeted at the
ou=people,ou=europe,dc=example,dc=com entry would be routed by the directory as follows:
First, the client binds to Server A and chains to Server B using Database Link 1. Then Server B chains to the target database on Server C using Database Link 2 to access the data in the
ou=people,ou=europe,dc=example,dc=com branch. Because at least two hops are required for the directory to service the client request, this is considered a cascading chain.
2.4.2. Configuring Cascading Chaining Using the Command Line
Copia collegamentoCollegamento copiato negli appunti!
This section provides an example of how to configure cascading chaining with three servers as shown in the following diagram:
Configuration Steps on Server 1
- Create the suffix
c=africa,ou=people,dc=example,dc=com:dsconf -D "cn=Directory Manager" ldap://server1.example.com backend create --parent-suffix="ou=people,dc=example,dc=com" --suffix="c=africa,ou=people,dc=example,dc=com"
# dsconf -D "cn=Directory Manager" ldap://server1.example.com backend create --parent-suffix="ou=people,dc=example,dc=com" --suffix="c=africa,ou=people,dc=example,dc=com"Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Create the
DBLink1database link:dsconf -D "cn=Directory Manager" ldap://server1.example.com chaining link-create --suffix="c=africa,ou=people,dc=example,dc=com" --server-url="ldap://africa.example.com:389/" --bind-mech="" --bind-dn="cn=server1 proxy admin,cn=config" --bind-pw="password" --check-aci="off" "DBLink1"
# dsconf -D "cn=Directory Manager" ldap://server1.example.com chaining link-create --suffix="c=africa,ou=people,dc=example,dc=com" --server-url="ldap://africa.example.com:389/" --bind-mech="" --bind-dn="cn=server1 proxy admin,cn=config" --bind-pw="password" --check-aci="off" "DBLink1"Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Enable loop detection:
dsconf -D "cn=Directory Manager" ldap://server1.example.com chaining config-set --add-control="1.3.6.1.4.1.1466.29539.12"
# dsconf -D "cn=Directory Manager" ldap://server1.example.com chaining config-set --add-control="1.3.6.1.4.1.1466.29539.12"Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Configuration Steps on Server 2
- Create a proxy administrative user on server 2 for server 1 to use for proxy authorization:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Important
For security reasons, do not use thecn=Directory Manageraccount. - Create the suffix
ou=Zanzibar,c=africa,ou=people,dc=example,dc=com:dsconf -D "cn=Directory Manager" ldap://server2.example.com backend create --parent-suffix="c=africaou=people,dc=example,dc=com" --suffix="ou=Zanzibar,c=africa,ou=people,dc=example,dc=com"
# dsconf -D "cn=Directory Manager" ldap://server2.example.com backend create --parent-suffix="c=africaou=people,dc=example,dc=com" --suffix="ou=Zanzibar,c=africa,ou=people,dc=example,dc=com"Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Create the
DBLink2database link:dsconf -D "cn=Directory Manager" ldap://server2.example.com chaining link-create --suffix="ou=Zanzibar,c=africa,ou=people,dc=example,dc=com" --server-url="ldap://zanz.africa.example.com:389/" --bind-mech="" --bind-dn="server2 proxy admin,cn=config" --bind-pw="password" --check-aci="on "DBLink2"
# dsconf -D "cn=Directory Manager" ldap://server2.example.com chaining link-create --suffix="ou=Zanzibar,c=africa,ou=people,dc=example,dc=com" --server-url="ldap://zanz.africa.example.com:389/" --bind-mech="" --bind-dn="server2 proxy admin,cn=config" --bind-pw="password" --check-aci="on "DBLink2"Copy to Clipboard Copied! Toggle word wrap Toggle overflow Because theDBLink2link is the intermediate database link in the cascading chaining configuration, enable the ACL check to allow the server to check whether it should allow the client and proxy administrative user access to the database link. - Enable loop detection:
dsconf -D "cn=Directory Manager" ldap://server2.example.com chaining config-set --add-control="1.3.6.1.4.1.1466.29539.12"
# dsconf -D "cn=Directory Manager" ldap://server2.example.com chaining config-set --add-control="1.3.6.1.4.1.1466.29539.12"Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Enable the proxy authorization control:
dsconf -D "cn=Directory Manager" ldap://server2.example.com chaining config-set --add-control="2.16.840.1.113730.3.4.12"
# dsconf -D "cn=Directory Manager" ldap://server2.example.com chaining config-set --add-control="2.16.840.1.113730.3.4.12"Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Add the local proxy authorization ACI:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Add an ACI that enables users in
c=us,ou=people,dc=example,dc=comon server 1 who have auidattribute set, to perform any type of operation on theou=Zanzibar,c=africa,ou=people,dc=example,dc=comsuffix tree on server 3:Copy to Clipboard Copied! Toggle word wrap Toggle overflow If there are users on server 3 under a different suffix that will require additional rights on server 3, it is necessary to add additional client ACIs on server 2.
Configuration Steps on Server 3
- Create a proxy administrative user on server 3 for server 2 to use for proxy authorization:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Important
For security reasons, do not use thecn=Directory Manageraccount. - Add the local proxy authorization ACI:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Add an ACI that enables users in
c=us,ou=people,dc=example,dc=comon server 1 who have auidattribute set, to perform any type of operation on theou=Zanzibar,c=africa,ou=people,dc=example,dc=comsuffix tree on server 3:Copy to Clipboard Copied! Toggle word wrap Toggle overflow If there are users on server 3 under a different suffix that will require additional rights on server 3, it is necessary to add additional client ACIs on server 2.
The cascading chaining configuration is now set up. This cascading configuration enables a user to bind to server 1 and modify information in the
ou=Zanzibar,c=africa,ou=people,dc=example,dc=com branch on server 3. Depending on your security needs, it can be necessary to provide more detailed access control.
2.4.3. Detecting Loops
Copia collegamentoCollegamento copiato negli appunti!
An LDAP control included with Directory Server prevents loops. When first attempting to chain, the server sets this control to the maximum number of hops, or chaining connections, allowed. Each subsequent server decrements the count. If a server receives a count of
0, it determines that a loop has been detected and notifies the client application.
To use the control, add the
1.3.6.1.4.1.1466.29539.12 OID. For details about adding an LDAP control, see Section 2.3.2.2, “Chaining LDAP Controls”. If the control is not present in the configuration file of each database link, loop detection will not be implemented.
The number of hops allowed is defined using the
nsHopLimit parameter. By default, the parameter is set to 10. For example, to set the hop limit of the example chain to 5:
dsconf -D "cn=Directory Manager" ldap://server.example.com chaining link-set --hop-limit 5 example
# dsconf -D "cn=Directory Manager" ldap://server.example.com chaining link-set --hop-limit 5 example
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}