LDAP Referral Filtering

  • 3899534
  • 10-Jan-2007
  • 06-Jun-2012


Novell eDirectory 8.7.1 for All Platforms
Novell NetWare 6.5


Administrators need the ability to control referrals returned by NLDAP.
LDAP Referral Filtering

Additional Information

Need for LDAP Referral Filtering In a Novell® eDirectoryTM 8.7.1 deployment scenario, if you have multiple replica servers running in a tree and have configured LDAP server(s) to return referrals using the Prefer Referrals/Always Refer option, then the LDAP server will return referrals if the requested operation on a replica is not present locally. LDAP client sends request to the server, and server returns a referral list of all the LDAP servers holding that replica. Using this referral list, LDAP clients will follow any of these referrals to do the operation. If the client chooses to follow the referral of a low end server or a server that is located very far, clients would see a slow response from the server. This decreases the performance of the clients. The solution for this problem is to provide a kind of referral filtering mechanism at the LDAP server side to return the referrals of high-end servers or of the nearest one. This is because LDAP client programmers will not have complete knowledge about the servers and network configurations. Administrators would have complete knowledge, like, the kind of LDAP servers in the network and network link speeds.
Using LDAP Referral Filtering

1. Complete the following steps to use the LDAP referral filtering feature with an eDirectory 8.7.1

LDAP server on NetWare®:

1. Extend the schema with the new ldap.sch file using nwconfig> Directory Options > Extend Schema.

2. Verify the ACL rights of the LDAP Group object

If multiple LDAP server objects are using the same LDAP group object and if the NCP server object is not a trustee of the container that contains the LDAP group object and has supervisor rights to that container, after applying this patch, LDAP will not initialize correctly and LDAP dstrace will show a -672 access denied error. The reason for this is that the LDAP server authenticates with the NCP server object to do the upgrade of the LDAP group object and it must have create rights at the container level to create an object during the upgrade.

To resolve this issue, add the NCP server object as a trustee of the container that has the LDAP group object in it and grant it supervisor rights. This may already be done because there are default NetWare applications that set this ACL by default. After the new trustee assignment is made, LDAP would initialize correctly.

3. Change the new nldap.nlm into sys:\system directory as follows:

! Stop the existing NLDAP server unload nldap ! Copy the unzipped nldap.nlm to sys:\system ! Start the nldap.nlmload nldap4. Set up the referral filter to the LDAP Group object using the attributes "referralIncludeFilter" and"referralExcludeFilter". Setting these filters with these attributes will be applicable to all the LDAP servers belonging to this LDAP Group object. The LDAP server will return all the LDAP referrals matching with the referralIncludeList filter and drop the ones that match the referralExcludeFilter filter. The returning LDAP referrals matches with referralIncludeFilter values will be returned to the LDAP clients and all other referrals will be excluded from the referral list. Similarly, returning LDAP referrals matches with the referralExcludeFilter values will be excluded from LDAP referral list and then send to the LDAP clients. If both filters exist and the referral does not match any of these filters, it will be excluded. If all available referrals are disallowed by the filter, the server will behave as if no referrals are available and return LDAP_OTHER (80), which some client tools report as "Unknown error".

After adding or modifying these filter attributes, if the LDAP server is not refreshed, changes will take place after the subsequent automatic refresh. Currently, adding or modifying these filter attributes can be done only with Other tab in ConsoleOne®.
Format to Specify LDAP Referral Filters

The LDAP referral filter format is a simple IP address format: [ldap://] | [ldaps://] IPAddress[:port] Here, specifying the clear text port or SSL port will be like pre-pending ldap:// or ldaps:// strings. If nothing is specified, the match filter is applicable for both referrals. Examples: These filter attributes (referralIncludeFilter and referralExcludeFilter) are multi-valued. You can choose as many matching filters as you needed. You can set the values of these attributes either through ConsoleOne or LDIF. # matches both ldap and ldaps referrals on any port 1.2. # matches all IP address of 1.2.X.Y 1.2.3. # matches all IP address of 1.2.3.Y ldap:// or ldap://* # matches all the clear text port ldap referrals ldaps:// or ldap://* # matches all the ssl port ldap referrals * #matchesall ldaps:// # matches for SSL port 636 on IP addresses

Example Scenarios

LDAP Referral Filtering 1. To make an LDAP server return only referrals with the IP address 1.2.X.Y where X = {0 to 255} and Y = {0 to 255} and exclude all others, enter the following: referralIncludeFilter = { 1.2 } 2. To make an LDAP server return referral, that exclude all the referrals that match IP address 164.99.X.Y, where X is not equal to 100 and match 164.99.100.Y, enter the following: referralIncludeFilter = { 164.99.100., "*"} referralExcludeFilter = { 164.99. } Here, even though the IP address 164.99.100.Y matches referralExcludeFilter, since these IP addresses have more matched fields, these referrals will be returned to the LDAP clients. NOTE: While specifying a partial IP address, the trailing "." can be omitted. 3. To make an LDAP server return only clear text port referrals and drop SSL port referrals, enter the following: referralIncludeFilter = { "ldap://" } OR referralExcludeFilter = { "ldaps://" } 4. To make an LDAP server return from a set of IP addresses and drop all other IP address referrals, enter the following: referralIncludeFilter = {,,, ldaps:// } referralExcludeFilter = { "*" } NOTE: Here, referralExcludeFilter is not required. Any populated referralIncludeFilter implies to exclude all others. 5. There are two filters, as follows: referralIncludeFilter = { } referralExcludeFilter = { } If the referral comes, it will be excluded as it does not match the referralIncludeFilter, even though it does not match the referralExcludeFilter also.
Invalid Filters ".2.3.4" or "*.2.3.4" will not match the IP addresses "X.2.3.4""2.3.4*" will not match the IP addresses like 2.3.41 or 2.3.42. DNS names like sever1.mydomain.com, or *.mydomain.com are not supported. Adding the port ranges to the filters like allow referral IP address on the port start-to-end is not supported. There are no validation checks done before adding these filter values to these attributes. But in case of an invalid filter, the LDAP server will ignore those filters and log the information into ndsd.log file.
Known Issues The LDAP rootDSE search returns altServers if there are any replica servers in the LDAP URL format. These URLs do not get filtered using this mechanism.

Formerly known as TID# 10087528
Formerly known as TID# NOVL92933