LDAP meta directory

Sometimes you need to combine two or more LDAP directories with same suffixes to one directory or you just need to have a proxy. My first attempts to combine two OpenLDAP directories was to make replication from two different sources. This solution however has some disadvantages. First of all: to have syncprov replication your environment must be uniform, this means all source servers and proxy needs to be OpenLDAP. Second: I observed that this is not so stable, because of mentioned earlier issues with OpenLDAP replication.

When I finally decided to move larger part of my LDAP directory (about 48k entries) to OpenDJ server, I was searching for other solution, and DSEE or Oracle Virtual Directory, which is probably best proxy server was out of my scope. Then I decided to use OpenLDAP Meta Proxy.

Replication was not good solution, because each LDAP server has it’s own way to do it, for example OpenDJ is using separate port 8989. But there is something common in LDAP implementations: on 389 port each server responding for queries in LDAPv3 standard. I found then something like backend ldap (back-ldap).
Configuration is rather simple, one need to enable back_ldap.la module and put few lines to configuration file.


modulepath      /usr/lib/ldap
moduleload      back_ldap.la
# other stuff, schemas etc.
database        ldap
suffix          "dc=example,dc=com"
#rootdn
uri             ldap://192.168.1.10/ ldap://192.168.1.20/

But this is not what I searching for. This works that way, that first server will answer to query until is not available, then query will be transferred to next server from list, and if it will answer then will be moved to first place in list (according documentation). That’s OK, but if servers have the same content, but I need to join sources with different content in one Directory Information Tree (DIT). Let’s focus on meta backend (back_meta).

I found in backend documentation that this can be proper solution, but configuration section there is very poor, because contains only one word: LATER.
Fortunately, configuration is not so complex:


# Load dynamic backend modules:
modulepath      /usr/lib/ldap
moduleload      back_ldap.la
moduleload      back_meta.la
# other useful things

access to dn.base=""
        by * read

access to dn.base="cn=Subschema" 
        by * read

include  /etc/ldap/acl.conf

database meta
suffix  "dc=example,dc=com"
uri     "ldap://192.168.1.10/dc=example,dc=com"
uri     "ldap://192.168.1.20/dc=example,dc=com"
lastmod off

Of course, you need to put all schemas used by source servers. Even if Metadirectory will start without this, it will be not able to serve results to client, because it will not know about attributes existed in source servers.

You should also make proper ACLs, here are included from separate file. You can also put few parameters like rootdn, rootpw or different DIT fragments in URI, like that:


database meta
suffix  "dc=example,dc=com"
uri     "ldap://192.168.1.10/ou=org-1,dc=example,dc=com"
uri     "ldap://192.168.1.20/ou=org-2,dc=example,dc=com"
lastmod off

But personally I did not test that, so I will not describe here.

You may also like...

Leave a Reply