Handling of LDAP Referrals.
(Last modified: 17Oct2002)
This document (10061859) is provided subject to the disclaimer at the end of this document.
fact
Novell eDirectory NDS 8
NDS eDirectory 8.5
Novell LDAP version 85.x
Novell LDAP
symptom
Handling of LDAP Referrals.
A NetWare LDAP server has three different options to handle Referrals. The Referrals can be configured within the LDAP group object.
The first option is ' Always Chain ' this means, if the requested LDAP information is not locally available, the LDAP server will gather the requested information for the LDAP Client.
The second option is ' Refer to NDS LDAP server that supports referrals, and Chain to NDS servers that don't. This means if the requested LDAP information is not locally available, but the server is aware of a LDAP server that is able to provide the requested LDAP information, the requesting client will receive the IP address of this server as a referral response. If the LDAP server is not aware of a referral server, then the LDAP sever will gather the requested information for the client.
The third option is Always refer - this means the LDAP server provides the requested LDAP information only if the information can be found locally, otherwise the LDAP server responds with a referral. This option requires LDAP support on all NDS servers.
cause
By analyzing the third option an enhancement request was found for the following example.
One NDS partition (PAR1) which is on three NetWare servers.
One server holds the Master (MASTER-SRV),
Another server holds a Read/Write (RW-SRV)
And the third server holds a SubRef (SUB-SRV) replica.
All the next examples are made with the third LDAP referral option (Always Refer). NLDAP is loaded on all servers.
Scenario 1:
The LDAP client requests LDAP information from server SUB-SRV. The LDAP server is not able to provide the information ' no local copy, therefore the server responds with ether the IP address of MASTER-SRV or RW-SRV as a referral response packet. The LDAP referrals response changes between MASTER-SRV and RW-SRV with every new LDAP request.
Internal Process:
Once the LDAP request is submitted to the SUB-SRV, the server sends then a NDS resolve name packet (NCP 104,2) to the MASTER-SRV or RW-SRV (a kind of round robin function). Basically the request is about the loaded services that are running on the referral server, e.g. if the referral server runs Pure IP / Portal and LDAP the response packet will be like this:
HTTP ://IP address :8008/nds
HTTP ://IP address :8008/portal
HTTP ://IP address :8009/portal
LDAP ://IP address :389
It is important to note that once NLDAP is loaded on a server the server advertises this service by adding the LDAP://IP ADDRESS:389 entry to the server NDS object.
The SUB-SRV server will then check if the referral server has a valid LDAP attribute present. If the attribute is present the requested LDAP client will receive an LDAP referral response. If the attribute is not present NLDAP will run in to a problem and will respond with an error: NDS error: no referrals (-634). Theoretically this problem can be avoided by activating the LDAP service on all servers. This is, however, in most cases not possible, especially not for this customer (800 NetWare Servers).
Scenario 2:
Basically the constellation is the same like the Scenario 1. The only difference is that the RW-SRV has no LDAP service loaded. Due to the 'round robin' process the SUB-SRV will provide either the MASTER-SRV or RW-SRV as a referral to the LDAP client. If the MASTER-SRV is the referral server the LDAP client will receive a valid referral. If the RW-SRV is the referral server the client will receive the above (Scenario 1) mentioned error.
Enhancement 1:
Why does the SUB-SRV sends a NCP packet to the referral server even the SUB-SRV has a local NDS copy which contains all the requested information.
NLDAP should attempt to find the information locally if it is not available then the NDLAP server (SUB-SRV) should start a NDS tree walk.
Enhancement 2: (More important)
In the above mentioned problem situation (NLDAP is not loaded or not properly configured), the NLDAP server should only look for server that has a valid LDAP attribute present. If there is no server with a valid LDAP attribute in the replica ring, then the SUB-SRV should send the error to the LDAP client. If the enhancement 2 request were available, then the error situation would not occur because the server SUB-SRV still has a valid LDAP server as a referral (MASTER-SRV).
Customers environment:
Due to the large size of their NDS tree the customer has no NDS-MASTER server that contains all replicas of all partitions. They have 12 'root master' servers that contain all the NDS information. The LDAP client will ask each server sequentially for the user attribute information. All servers with NLDAP loaded will use the third option ' Always refer. The customer notes that sometimes the LDAP servers are not able to provide the LDAP request.
fix
A request for enhancement has been entered.
document
| Document Title: | Handling of LDAP Referrals. |
| Document ID: | 10061859 |
| Solution ID: | NOVL45840 |
| Creation Date: | 19Apr2001 |
| Modified Date: | 17Oct2002 |
| Novell Product Class: | NetWare Novell eDirectory |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.