All-
I'm a very recent subscriber to the list, though we've been happily using OpenLDAP for years. Our needs have been pretty pedestrian, so for us OpenLDAP has never required much care and feeding, and hence I've neglected to learn much beyond the basics. Now I need some advice related to multiple suffix support, and what we can do to lessen the pain.
We're currently using OpenLDAP 2.3.x, with a preferred suffix of
suffix "dc=nodak, dc=edu"
When we started with OpenLDAP way back in the day, we used
suffix "o=NDUS, st=North Dakota, c=US"
and unfortunately, we've had to keep that around for legacy (political) reasons, so we're running 2.3.x with two suffix entries in our slapd.conf. The information that's served is exactly the same, no matter which suffix you use. It's just two ways to get at the same information.
When we upgraded to OpenLDAP 2.3.x last year, I quickly discovered that the new default of "back-bdb" was not an option for us, because it doesn't support multiple suffix entries (unless you build it in a special way that "degrades performance", according to the FAQ). That means we had to continue using back-ldbm abstracting bdb as our backend.
We would love to get with the program and switch to back-bdb. Since we unfortunately have to continue to provide two entry points (the FAQ seems to use "naming contexts" as the nomenclature for the suffix), we're looking at options for some kind of proxy/rewrite, so that requests that come in for the older suffix get proxied/rewritten/mapped to our preferred suffix.
One of my coworkers has been doing some research into our options for suffix rewriting, and it looks like we have at least two options:
Option #1:
database relay suffix "ou=<old suffix here>" relay "<new suffix here>" massage
Option #2:
database meta suffix "ou=<old suffix here>" uri "ldap://localhost/<old suffix here>" suffixmassage "<old suffix here>" "<new suffix here>"
Both "meta" and "relay" are experimental, so either one of them could be abandoned and become a dead end for us in the future.
We're leaning toward "relay", since this seems to be very close to what it was designed to do.
Can anyone provide any hints, suggestions, or moral support on whether we're heading in the recommended direction, or whether there's a better way to obviate the need for our legacy suffix entry using some other kind of rewriting?
Thanks,
Tim