Hi,
I have a scenario where I would like an LDAP proxy which looks at the base DN and generated a LDAP URI to proxy to dynamicly. I have several 100.000 potential URIs and they change constantly, so hardwiring them in slapd.conf is not an option.
Example: An search request arrives for this base "dc=host1,dc=mutex,dc=dk". The proxy should proxy the request to: ldap://host1.mutex.dk/dc=host1,dc=mutex,dc=dk/
... and so on for host2-<very high number> (no I don't have 200000 LDAP-servers but I have 200000 DNS entries to which server I do not kontrol the mapping)
I though I had to write a back-perl module, but I've been looking at slapd-meta and I see that it can rewrite to URIs:
"In case the rewritten DN is an LDAP URI, the operation is initiated towards the host[:port] indicated in the uri, if it does not refer to the local server"
But I can't get this to work. slapd-meta insists on having a "uri" directive which doen't make sense in my scenario and if I add a dummy "uri" it seems to try to connect to that server. There might of course be some idea in reusing TCP connectiontions and that would be nice, since in reality there's only 3-4 servers answering request, but they are identified by 3-400.000 DNS entries.
Am I missing something? Is this possible with slapd-meta? Or do I have to write a back-perl module?
regards, Peter
Peter Mogensen wrote:
Hi,
I have a scenario where I would like an LDAP proxy which looks at the base DN and generated a LDAP URI to proxy to dynamicly. I have several 100.000 potential URIs and they change constantly, so hardwiring them in slapd.conf is not an option.
Example: An search request arrives for this base "dc=host1,dc=mutex,dc=dk". The proxy should proxy the request to: ldap://host1.mutex.dk/dc=host1,dc=mutex,dc=dk/
... and so on for host2-<very high number> (no I don't have 200000 LDAP-servers but I have 200000 DNS entries to which server I do not kontrol the mapping)
I though I had to write a back-perl module, but I've been looking at slapd-meta and I see that it can rewrite to URIs:
"In case the rewritten DN is an LDAP URI, the operation is initiated towards the host[:port] indicated in the uri, if it does not refer to the local server"
That sentence belongs to a "white paper" that eventually evolved into a man page; unfortunately, items on a wish list seem to have slipped in. That feature has never existed, although it could be useful.
But I can't get this to work. slapd-meta insists on having a "uri" directive which doen't make sense in my scenario and if I add a dummy "uri" it seems to try to connect to that server. There might of course be some idea in reusing TCP connectiontions and that would be nice, since in reality there's only 3-4 servers answering request, but they are identified by 3-400.000 DNS entries.
Am I missing something? Is this possible with slapd-meta? Or do I have to write a back-perl module?
In principle, you could use back-dnssrv to have requests turned into referrals based on DNS SRV entries (draft-ietf-ldapext-locate); the referrals could be automatically chased by an instance of slapo-chain(5). This requires your DNS to expose the DNS SRV for ldap regarding those servers that service each naming context you want to be mapped. Otherwise, I think the feature you need could be added in slapd-meta(5) somehow (and might be of general use). You could submit a feature request via the ITS http://www.openldap.org/its/ (best accompanied by a patch :)
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando@sys-net.it -----------------------------------
Pierangelo Masarati wrote:
Peter Mogensen wrote:
"In case the rewritten DN is an LDAP URI, the operation is initiated towards the host[:port] indicated in the uri, if it does not refer to the local server"
That sentence belongs to a "white paper" that eventually evolved into a man page; unfortunately, items on a wish list seem to have slipped in.
That thought crossed my mind... :)
That feature has never existed, although it could be useful.
Oh bummer...
In principle, you could use back-dnssrv to have requests turned into referrals based on DNS SRV entries (draft-ietf-ldapext-locate); the referrals could be automatically chased by an instance of slapo-chain(5). This requires your DNS to expose the DNS SRV for ldap regarding those servers that service each naming context you want to be mapped. Otherwise, I think the feature you need could be added in slapd-meta(5) somehow (and might be of general use). You could submit a feature request via the ITS http://www.openldap.org/its/ (best accompanied by a patch :)
;-)
Thanks for your advice.
openldap-software@openldap.org
-
Peter Mogensen -
Pierangelo Masarati