I'm currently using the following configuration for an application-specific LDAP directory to present a unified view of its local data (ou=localapp) and remote data (ou=people), all under dc=example,dc=com:
database hdb suffix ou=localapp,dc=example,dc=com # ...
database meta suffix dc=example,dc=com uri ldapi:///ou=localapp,dc=example,dc=com uri ldap://remoteldap.example.com/ou=people,dc=example,dc=com
The idea being that clients of this directory can simply set the base DN to dc=example,dc=com without needing to know which parts are local and which parts are pulled in remotely.
My understanding is that this approach incurs some overhead in going through the ldapi interface for each operation that ends up being performed on the local backend. Is it possible to eliminate that overhead through an alternate approach? I looked at back_relay, but couldn't get it to do what I wanted. I don't want to rewrite any of the suffixes -- I just want it to do exactly as above in the back-meta configuration, but replace "ldapi:///" with "internal-backend-api:///", as mentioned in this part of the back-relay docs: "back-relay bypasses the real database frontend operations by short-circuiting operations through the internal backend API".
Thanks,
-Kartik