{"id":299,"date":"2011-08-04T14:36:59","date_gmt":"2011-08-04T12:36:59","guid":{"rendered":""},"modified":"2016-02-22T11:28:21","modified_gmt":"2016-02-22T10:28:21","slug":"ldap-meta-directory","status":"publish","type":"post","link":"https:\/\/drfugazi.eu.org\/en\/ldap-meta-directory\/","title":{"rendered":"LDAP meta directory"},"content":{"rendered":"

Sometimes you need to combine two or more LDAP directories with same suffixes to one directory or you just need to have a proxy. My first attempts to combine two OpenLDAP directories was to make replication from two different sources. This solution however has some disadvantages. First of all: to have syncprov replication your environment must be uniform, this means all source servers and proxy needs to be OpenLDAP. Second: I observed that this is not so stable, because of mentioned earlier issues with OpenLDAP replication.
\n
\nWhen I finally decided to move larger part of my LDAP directory (about 48k entries) to OpenDJ server, I was searching for other solution, and DSEE or Oracle Virtual Directory, which is probably best proxy server was out of my scope. Then I decided to use OpenLDAP Meta Proxy.<\/p>\n

Replication was not good solution, because each LDAP server has it’s own way to do it, for example OpenDJ is using separate port 8989. But there is something common in LDAP implementations: on 389 port each server responding for queries in LDAPv3 standard. I found then something like backend ldap<\/a> (back-ldap<\/code>).
\nConfiguration is rather simple, one need to enable back_ldap.la<\/code> module and put few lines to configuration file.<\/p>\n

\r\nmodulepath      \/usr\/lib\/ldap\r\nmoduleload      back_ldap.la\r\n# other stuff, schemas etc.\r\ndatabase        ldap\r\nsuffix          \"dc=example,dc=com\"\r\n#rootdn\r\nuri             ldap:\/\/192.168.1.10\/ ldap:\/\/192.168.1.20\/\r\n<\/code><\/pre>\n
But this is not what I searching for. This works that way, that first server will answer to query until is not available, then query will be transferred to next server from list, and if it will answer then will be moved to first place in list (according documentation). That’s OK, but if servers have the same content, but I need to join sources with different content in one Directory Information Tree (DIT). Let’s focus on meta<\/b> backend (back_meta<\/code>).<\/p>\n
I found in backend documentation<\/a> that this can be proper solution, but configuration section there is very poor, because contains only one word: LATER<\/b>.
\nFortunately, configuration is not so complex:<\/p>\n
\r\n# Load dynamic backend modules:\r\nmodulepath      \/usr\/lib\/ldap\r\nmoduleload      back_ldap.la\r\nmoduleload      back_meta.la\r\n# other useful things\r\n\r\naccess to dn.base=\"\"\r\n        by * read\r\n\r\naccess to dn.base=\"cn=Subschema\" \r\n        by * read\r\n\r\ninclude  \/etc\/ldap\/acl.conf\r\n\r\ndatabase meta\r\nsuffix  \"dc=example,dc=com\"\r\nuri     \"ldap:\/\/192.168.1.10\/dc=example,dc=com\"\r\nuri     \"ldap:\/\/192.168.1.20\/dc=example,dc=com\"\r\nlastmod off\r\n<\/code><\/pre>\n
Of course, you need to put all schemas used by source servers. Even if Metadirectory will start without this, it will be not able to serve results to client, because it will not know about attributes existed in source servers.<\/p>\n
You should also make proper ACLs, here are included from separate file. You can also put few parameters like rootdn<\/code>, rootpw<\/code> or different DIT fragments in URI, like that:<\/p>\n
\r\ndatabase meta\r\nsuffix  \"dc=example,dc=com\"\r\nuri     \"ldap:\/\/192.168.1.10\/ou=org-1,dc=example,dc=com\"\r\nuri     \"ldap:\/\/192.168.1.20\/ou=org-2,dc=example,dc=com\"\r\nlastmod off\r\n<\/code><\/pre>\n
But personally I did not test that, so I will not describe here.<\/p>","protected":false},"excerpt":{"rendered":"
Sometimes you need to combine two or more LDAP directories with same suffixes to one directory or you just need to have a proxy. My first attempts to combine two OpenLDAP directories was to make replication from two different sources. This solution however has some disadvantages. First of all: to have syncprov replication your environment must be uniform, this means all source servers and proxy needs to be OpenLDAP. Second: I observed that this is not so stable, because of mentioned earlier issues with OpenLDAP replication.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[115],"tags":[6,88,44],"jetpack_publicize_connections":[],"acf":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7M9Tz-4P","jetpack-related-posts":[{"id":373,"url":"https:\/\/drfugazi.eu.org\/en\/budowa-systemu-pocztowego\/","url_meta":{"origin":299,"position":0},"title":"Building mail system","author":"drfugazi","date":"Monday August 13th, 2012","format":false,"excerpt":"This description is based on my experience, which I gained during mail system implementation on University of Silesia (Katowice\/Poland). In the first stage there was about 3 000 of users, now the system is handling about 40 k of mail users. Whole system (exluding Sophos AV) is based on Open\u2026","rel":"","context":"In "Mail system"","block_context":{"text":"Mail system","link":"https:\/\/drfugazi.eu.org\/en\/category\/mail-system\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":340,"url":"https:\/\/drfugazi.eu.org\/en\/konfiguracja-replikacji-multi-master-opendj\/","url_meta":{"origin":299,"position":1},"title":"(Polski) Konfiguracja replikacji Multi-Master w OpenDJ","author":"drfugazi","date":"Friday July 22nd, 2011","format":false,"excerpt":"Sorry, this entry is only available in Polish. For the sake of viewer convenience, the content is shown below in the alternative language. You may click the link to switch the active language.G\u0142\u00f3wnym powodem mojej migracji us\u0142ug katalogowych z OpenLDAP do OpenDJ jest w\u0142asnie mechanizm replikacji, a raczej jego niezbyt\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":228,"url":"https:\/\/drfugazi.eu.org\/en\/instalacja-i-konfiguracja-openldap\/","url_meta":{"origin":299,"position":2},"title":"Instalacja i konfiguracja OpenLDAP","author":"drfugazi","date":"Monday November 22nd, 2010","format":false,"excerpt":"Instalacja i podstawowa konfiguracja us\u0142ugi katalogowej LDAP (OpenLDAP) na Ubuntu: drfugazi@charr:~% sudo aptitude install slapd ldap-utils Opis wzorowany jest na angielskim opisie dla Karmic Koala na HowtoForge. Ja jestem przyzwyczajony do konfigurowania LDAPa w pliku slapd.conf, ale to stara szko\u0142a. Tutaj dostajemy mo\u017cliwo\u015b\u0107 dynamicznej konfiguracji bez konieczno\u015bci restartu serwera LDAP.\u2026","rel":"","context":"In \"Konfiguracja\"","block_context":{"text":"Konfiguracja","link":"https:\/\/drfugazi.eu.org\/en\/tag\/konfiguracja\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":332,"url":"https:\/\/drfugazi.eu.org\/en\/instalacja-i-konfiguracja-openldap\/","url_meta":{"origin":299,"position":3},"title":"Instalacja i konfiguracja OpenLDAP","author":"","date":"Monday November 22nd, 2010","format":false,"excerpt":"Instalacja i podstawowa konfiguracja us\u0142ugi katalogowej LDAP (OpenLDAP) na Ubuntu: drfugazi@charr:~% sudo aptitude install slapd ldap-utils Opis wzorowany jest na angielskim opisie dla Karmic Koala na HowtoForge. Ja jestem przyzwyczajony do konfigurowania LDAPa w pliku slapd.conf, ale to stara szko\u0142a. Tutaj dostajemy mo\u017cliwo\u015b\u0107 dynamicznej konfiguracji bez konieczno\u015bci restartu serwera LDAP.\u2026","rel":"","context":"Similar post","block_context":{"text":"Similar post","link":""},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":285,"url":"https:\/\/drfugazi.eu.org\/en\/konfiguracja\/","url_meta":{"origin":299,"position":4},"title":"Konfiguracja OpenDJ","author":"drfugazi","date":"Monday July 11th, 2011","format":false,"excerpt":"Po rozpakowaniu i instalacji OpenDJ jest wst\u0119pnie skonfigurowany. W moim przypadku posiada te\u017c wpis bazowy (base entry), tutaj niech to b\u0119dzie dc=domain,dc=tld. Je\u015bli kto\u015b dopiero buduje drzewo LDAP, to pewnie teraz doda sobie standardowe ou=People i tam b\u0119dzie umieszcza\u0142 u\u017cytkownik\u00f3w za pomoc\u0105 narz\u0119dzi do zarz\u0105dzania katalogiem LDAP. Zwykle jednak jest\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":337,"url":"https:\/\/drfugazi.eu.org\/en\/dodawanie-schematow-opendj\/","url_meta":{"origin":299,"position":5},"title":"Dodawanie schemat\u00f3w do OpenDJ","author":"drfugazi","date":"Tuesday July 12th, 2011","format":false,"excerpt":"Sorry, this entry is only available in Polish. For the sake of viewer convenience, the content is shown below in the alternative language. You may click the link to switch the active language.OpenDJ podobnie jak inne us\u0142ugi katalogowe pozwala na rozszerzanie funkcjonalno\u015bci katalogu poprzez dodawanie schemat\u00f3w. Istnieje szereg gotowych schemat\u00f3w,\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/299"}],"collection":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/comments?post=299"}],"version-history":[{"count":1,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/299\/revisions"}],"predecessor-version":[{"id":584,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/299\/revisions\/584"}],"wp:attachment":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/media?parent=299"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/categories?post=299"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/tags?post=299"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}