[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Multiple suffixes per server

To: Dave Horsfall <daveh@ci.com.au>
Subject: Re: Multiple suffixes per server
From: Howard Chu <hyc@symas.com>
Date: Thu, 12 May 2005 16:47:45 -0700
Cc: OpenLDAP Software List <openldap-software@OpenLDAP.org>
In-reply-to: <20050512214655.H6631@mippet.ci.com.au>
References: <20050512214655.H6631@mippet.ci.com.au>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050508

Dave Horsfall wrote:

I don't think that is possible with OpenLDAP, but I'm willing to be convinced otherwise; I've also been told that this called "multi-mastering", but I know that that's the wrong term.

The realm of possibility is far greater than any one person can imagine...

Let's say that BigCorp.com (dc=BigCorp,dc=com) has just been taken over by Cobber.com.au (dc=Cobber,dc=com,dc=au). As is the wont of ways like this, both need to retain their corporate identities despite the hierarchy, with the possibility of having the directory available to the public.

In other words, I need to serve "dc=BigCorp,dc=com" and "dc=Cobber,dc=com,dc=au" side by side, on the one server. I can do it with separate servers, but there is the need to inform client programs just which server to use (DNS LDAP discovery and 2.3/HEAD?). I can also run several SLAPD instances on the one server, but again there is the problem of informing the client (which could be Joe Q. Public).
So, it is possible to run non-overlapping suffixes on one server?

Of course. A single slapd server can manage multiple databases, and each database can have a suffix completely independent of the others. But that's only a very crude beginning of a solution. For corporate mergers, you eventually will want to be able to present a unified view of the two separate hierarchies. E.g., you may want everything under dc=BigCorp,dc=com to appear to be a subtree of dc=Cobber,dc=com,dc=au, something like ou=BigCorp,dc=Cobber,dc=com,dc=au. OpenLDAP easily supports this as well, through a variety of mechanisms. The simplest in OpenLDAP 2.2 would be to use back-ldap with some rewrite rules to point a subtree at the other. In OpenLDAP 2.3 there are even more efficient ways to do it:

database bdb
suffix dc=BigCorp,dc=com
...

database relay
suffix ou=BigCorp,dc=Cobber,dc=com,dc=au
relay dc=BigCorp,dc=com massage

database bdb
suffix dc=Cobber,dc=com,dc=au
overlay glue
glue-sub ou=BigCorp,dc=Cobber,dc=com,dc=au
...

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: Multiple suffixes per server
  - From: Dave Horsfall <daveh@ci.com.au>

References:
- Multiple suffixes per server
  - From: Dave Horsfall <daveh@ci.com.au>

Prev by Date: Re: Multiple suffixes per server
Next by Date: Re: Multiple suffixes per server
Index(es):
- Chronological
- Thread