Hello all,
I'm been working with OpenLDAP in a metadirectory configuration -- I'm using it to provide a merged view of two organization LDAP servers, along with a local database to support "external collaborators" (that is, people not otherwise affiliated with our organization). In my limited testing it seems to be working reasonably well, but I'm not sure I completely understand all the components. For example, I'm unsure of the difference between this:
database meta
uri ldap://serverA.example.com/ou=A,o=organization uri ldap://serverB.example.com/ou=B,o=organization # ...necessary suffix massaging...
database hdb suffix o=organization
And this:
database ldap subordinate suffix ou=A,o=organization uri ldap://serverA.example.com # ...rewriting...
database ldap subordinate suffix ou=B,o=organization uri ldap://serverB.example.com # ...rewriting...
database hdb suffix o=organization
Both seem to provide the same behavior; a search against o=organization will search all three directories. Is either configuration preferable? Is one backend considered more stable than the other? is there some subtle difference in behavior that I'm missing? I'd appreciate your input.
slapd-ldap(5) and slapd-meta(5) share some of the code. slapd-ldap(5) is usually few features ahead of slapd-meta(5). In general, slapd-meta(5) supports between 90 and 99% of the features of slapd-ldap(5). The main difference between the two setups you mentioned is in long searches that span multiple targets. Slapd-meta(5) operates in parallel, i.e. searches are spawn simultaneously on all pertinent targets, and results are dealt with as soon as they come in. In a glued database layout, searches are performed sequentially. This has nearly no impact for local storage, while it can have a significant impact in the case of proxied remote targets.
p.