More about Directory Server and OpenDS Margin Notes

This entry is an excerpt from a longer discussion about turning off the ManageDSAIT control, which lets you manage referral entries, and instead following referrals no matter what using Directory Proxy Server. This entry starts off by showing how to specify which controls are forwarded to LDAP data sources. In other words, this entry shows how to turn off a supported control.

You can turn off ManageDSAIT on Directory Proxy, however. allowed-ldap-controls is a server property, documented at http://docs.sun.com/app/docs/doc/820-2767/allowed-ldap-controls-5dpconf.

To turn off ManageDSAIT on Directory Proxy, you set the allowed-ldap-controls to everything but manage-dsa. The Directory Proxy in this example listens on port 2389:

dpconf set-server-prop -p 2389 \
allowed-ldap-controls:proxy-auth-v1 \
allowed-ldap-controls:proxy-auth-v2 \
allowed-ldap-controls:persistent-search \
allowed-ldap-controls:auth-request \
allowed-ldap-controls:real-attributes-only \
allowed-ldap-controls:chaining-loop-detection \
allowed-ldap-controls:vlv-request \
allowed-ldap-controls:server-side-sorting \
allowed-ldap-controls:get-effective-rights

Following referrals is a separate thing, set as part of a resource limits policy on a connection handler. So if you want referrals to be followed for connections through the default handler, set up a policy, attach it to the default handler, and make sure part of the policy is following referrals:

dpconf create-resource-limits-policy -p 2389 myPolicy

dpconf set-connection-handler-prop -p 2389 "default connection handler" resource-limits-policy:myPolicy

dpconf set-resource-limits-policy-prop -p 2389 myPolicy referral-policy:follow

In Directory Server for the example here a referral is set up. Directory Server listens on port 1389:

ldapsearch -p 1389 -M -b ou=employees,dc=example,dc=com uid=bjensen
version: 1
dn: uid=bjensen,ou=employees,dc=example,dc=com
objectClass: top
objectClass: extensibleObject
objectClass: referral
ref: ldap://localhost:1389/uid=bjensen,%20ou=People,%20dc=example,dc=com
uid: bjensen

ldapsearch -p 1389 -b ou=employees,dc=example,dc=com uid=bjensen
version: 1
dn: uid=bjensen, ou=People, dc=example,dc=com
cn: Barbara Jensen
cn: Babs Jensen
sn: Jensen
givenName: Barbara
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Product Development
ou: People
l: Cupertino
uid: bjensen
mail: bjensen@example.com
telephoneNumber: +1 408 555 1862
facsimileTelephoneNumber: +1 408 555 1992
roomNumber: 0209

Now when you go through Directory Proxy to Directory Server without or with -R, you see the same thing:

ldapsearch -p 2389 -b ou=employees,dc=example,dc=com uid=bjensen
version: 1
dn: uid=bjensen, ou=People, dc=example,dc=com
cn: Barbara Jensen
cn: Babs Jensen
sn: Jensen
givenName: Barbara
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Product Development
ou: People
l: Cupertino
uid: bjensen
mail: bjensen@example.com
telephoneNumber: +1 408 555 1862
facsimileTelephoneNumber: +1 408 555 1992
roomNumber: 0209

ldapsearch -R -p 2389 -b ou=employees,dc=example,dc=com uid=bjensen
version: 1
dn: uid=bjensen, ou=People, dc=example,dc=com
cn: Barbara Jensen
cn: Babs Jensen
sn: Jensen
givenName: Barbara
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Product Development
ou: People
l: Cupertino
uid: bjensen
mail: bjensen@example.com
telephoneNumber: +1 408 555 1862
facsimileTelephoneNumber: +1 408 555 1992
roomNumber: 0209

When you try to get a look at the referral entry with -M, however, Directory Proxy balks as expected:

ldapsearch -M -p 2389 -b ou=employees,dc=example,dc=com uid=bjensen
ldap_search: Unavailable critical extension
ldap_search: additional info: The server is not configured to pass through control 2.16.840.1.113730.3.4.2