Re: Configuring dual root service

[Rick van Rein <rick@vanrein.org>]

Hi Kurt,

Thanks for responding.

> >I can imagine setting up a last backend to mimic root.openldap.org:
> >        backend dnssrv
> >        suffix dc=nl
> >        suffix dc=com
> >        suffix dc=org
> >        suffix dc=us
> >        ...
> 
> You might try:
> 
> referral ldap://ldap.surfnet.nl
> 
> backend dnssrv
> suffix ""

I tried that on 2.1.5, but it doesn't work:

	bash$ ldapsearch -b 'o=Universiteit Twente,c=nl' 
	# search result
	search: 2
	result: 32 No such object
	text: no DNS SRV RR available for DN

The approach that I gave above does work, however.

I think of slapd as a suffix-based multiplexer, distributing LDAP queries
to the first backend that matches by suffix.  Am I right?  If the DNSSRV
backend is always selected with suffix "", and if it cannot say "nope, try
another backend", then the referral declaration will never be reached.

Other than the weird solution of listing all occurring "dc=xx" suffixes,
there does not seem to be a solution in current OpenLDAP; AFAIK a "dc=*"
suffix is not feasible.

A more general solution, releaving all sysops of keeping up with countries
that are split by wars, is possible however:
 1) a "referral" backend that forwards c=xx to one place, dc=xx to another;
 2) a root.openldap.org backend that also links to country toplevels
Probably 1) implies 2).

I'll see if I can get this backend going.


Cheers,
Rick van Rein.