Adding, modifying, and deleting referral objects is generally done using ldapmodify(1) or similar tools which support the ManageDsaIT control. The ManageDsaIT control informs the server that you intend to manage the referral object as a regular entry. This keeps the server from sending a referral result for requests which interrogate or update referral objects.
The ManageDsaIT control should not be specified when managing regular entries.
The -M option of ldapmodify(1) (and other tools) enables ManageDsaIT. For example:
ldapmodify -M -f referral.ldif -x -D "cn=Manager,dc=example,dc=net" -W
or with ldapsearch(1):
ldapsearch -M -b "dc=example,dc=net" -x "(objectclass=referral)" '*' ref
attribute is operational and must be explicitly requested when desired in search results.
the use of referrals to construct a Distributed Directory Service is extremely clumsy and not well supported by common clients. If an existing installation has already been built using referrals, the use of the chain
overlay to hide the referrals will greatly improve the usability of the Directory system. A better approach would be to use explicitly defined local and proxy databases in subordinate
configurations to provide a seamless view of the Distributed Directory.