Hi,
After more than a day of fiddling with it, I turn to you, the gurus ;)
I'm trying to create an OpenLDAP proxy that will talk to 2 OpenLDAP servers, doing MirrorMode replication and using a floating IP so that I can point all write queries to one and the same server. Those 2 MirrorMode servers are up and running and doing fine, but I can't figure out how to make that proxy.
I'm running on Debian Bullseye (still "testing" at this moment), with OpenLDAP 2.4.57, both on the backend servers and the proxy I'm trying to make. I'm not using TLS yet, that's for later.
After installation, there's an (empty, of course) mdb database. I think I should throw that away, but I'm not sure. The suffix in that database is different than the one I need to proxy, so it's probably not a problem to leave it there.
I have loaded the extra schemas that I use on the MirrorMode machines, and loaded the backends ldap and meta, with LDIF files like this:
dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: back_ldap.la
And fed that to slapd with
ldapmodify -Y EXTERNAL -h ldapi:/// -f <file>
I checked with ldapvi and saw both modules loaded. So far, so good.
Now I need to create the backend, and this is where I keep running into problems. Although the use of slapd.conf has fallen from grace a long time ago, every example I can find online only uses that. So I tried creating one and adding it to the configuration with slaptest. This is what I came up with:
backend meta database meta suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw "super secret passwd"
uri "ldap://172.16.7.6/dc=example,dc=com" readonly yes acl-authcDN "cn=admin,dc=example,dc=com" acl-passwd "super secret passwd"
uri "ldap://172.16.7.7/dc=example,dc=com" readonly yes acl-authcDN "cn=admin,dc=example,dc=com" acl-passwd "super secret passwd"
uri "ldap://172.16.7.8/dc=example,dc=com" readonly no acl-authcDN "cn=admin,dc=example,dc=com" acl-passwd "super secret passwd"
But when I try to convert that, I get an error:
# slaptest -f /root/proxybackend.conf -F /etc/ldap/slapd.d
6075bced /root/proxybackend.conf: line 1: <backend> failed init (meta)! slaptest: bad configuration directory!
The information in the OpenLDAP Handbook is, well, lacking:
https://openldap.org/doc/admin24/backends.html#Metadirectory
I had hoped to find a way to create an LDIF file which I could add with ldapadd, but I never came much further than this:
dn: olcDatabase=meta objectClass: olcDatabaseConfig objectClass: olcMetaConfig olcDatabase: meta olcSuffix: dc=example,dc=com olcRootDN: cn=admin,dc=example,dc=com olcRootPW: "super secret passwd"
which results in:
adding new entry "olcDatabase=meta" ldap_add: Server is unwilling to perform (53) additional info: no global superior knowledge
I'm pretty sure I need more lines in that, to begin with the URI lines to point the proxy to the machines it needs to contact, but I couldn't find the olcSomeThing syntax for them. I'm pretty good at searching, but not so good at finding, unfortunately.
Can somebody give me a few hints please? I'm pretty sure I'm missing something small here, but I'm stuck.
Kind regards,
Hans