<quote who="Daniel Gibby">
Let me narrow the focus of my question a bit more. This isn't a general LDAP question. This is a question specific to OpenLDAP, since I'm looking for people with experience in OpenLDAP and for ways they solved the same problem I'm having with OpenLDAP and MySQL.
This is better ;-)
I understand why what you are saying is better to migrate to an LDAP back-end. I understand why it is faster, more light-weight and elegant.
As well as centralised data with standards based access, etc. etc.
Yet, the solution to move completely to LDAP and get away from a DB back-end always ignores the fact that our business already has everything working with MySQL.
Understood.
We already have many applications setup to use the DB. We already have what we need except for an LDAP lookup on it. We just need advice on setting up OpenLDAP with a super-simple-schema, and suggestions on how to best interface OpenLDAP with MySQL for that schema. I would think that having support for this in OpenLDAP would help the community to grow. Adoption would happen at a much higher rate, since many businesses have a need for such a use of OpenLDAP. That can only be mostly good news for LDAP and OpenLDAP.
Hmmm, if you are merely setting up a directory server for your appliance because it can "do" LDAP lookups, then that seems the wrong way to go about it. In fact, it just seems like data duplication and management overhead to me.
So let me narrow the focus of this question more. I don't want to move away from a MySQL database. I'm open to exporting it to LDIF or to using back-sql, or to some other solution I don't know of that uses MySQL and OpenLDAP. I want someone who has experience using one of those methods to comment on resources they know of on how to get it to work, or with gotchas they found along the way.
man slapd-sql is very good and should answer most questions, using a 2.4.X release.
If we only had the time, we'd look into X.500 server commands and LDAP protocol and build a server that solely runs a ODBC back end and would only support a few limited LDAP commands. It wouldn't really be a full LDAP server, and would only support the Bind and Search commands. No Update, TLS, etc. is needed. It would only be used for this limited purpose.
I do appreciate your input. I should have been more clear as to what I'm looking for with OpenLDAP, as I could have anticipated that my first response would have been to just move solely to an LDAP backend.
There is good information at:
http://www.openldap.org/doc/admin24/backends.html#SQL http://www.openldap.org/doc/admin24/intro.html#LDAP%20vs%20RDBMS
Gavin Henry wrote:
<quote who="Daniel Gibby">
Hi,
Hi,
We are somewhat new to OpenLDAP and are planning on how we'll use it for our business.
This thread may be more suitable for the general LDAP mailing list:
http://www.umich.edu/~dirsvcs/ldap/mailinglist.html
Nothing, as yet, seems directly related to OpenLDAP since you appear to be at the "understanding LDAP" stages.
We have a few different uses we plan on, but one in particular that I have a question about.
We already have our email server setup to run virtual domain and aliases with a MySQL backend. We have a few thousand email addresses at one domain and we pretty much won't need more meta-information related to them besides what is already in our database.
A spam firewall appliance sits in front of our email server. The spam firewall supports an LDAP lookup for email addresses.
Since we already use MySQL for the backend of our email addresses, what would be the ways we should consider integrating OpenLDAP to support the spam firewall appliance?
Switch MySQL out for OpenLDAP. Put your virtual domains and aliases in there and then point your Spam/Firewall appliance at it.
I'm wary of using back-sql since all I ever see when searching through the OpenLDAP archives are somewhat old issues and lack of support.
Not lack of support, mainly inproper use of back-sql or misunderstanding its intended purpose...
If I'm wrong about shying away from that, let me know.
It seems to me that we need a very simple implementation for this part of our business. Our schema only needs to include the email address, that's it.
For other areas of our business we'd want to setup something more extensive on another server, but what would you see as options for setting up what we be required for this appliance lookup?
Thanks for your input! I'll post questions about our other uses or issues of OpenLDAP in another thread.
Again, these discussion items are better suited to the general LDAP list:
http://www.umich.edu/~dirsvcs/ldap/mailinglist.html
Thanks,
Gavin.
openldap-software@openldap.org