[Date Prev][Date Next] [Chronological] [Thread] [Top]

Best way to merge two local DITs vs empty search base suffix

Hello,

We want to update our old OpenLDAP server from 2.1.x to 2.4.x but the current
configuration do not use a regular suffix (o=foo,c=bar nor dc=foo,dc=bar) but
use an empty suffix ("").

We want to move away from empty suffix as we cannot use cn=monitor or any
additional suffixes as they can not bind when a suffix ""is in use in a hdb database :

<suffix> namingContext "o=..." already served by a preceding hdb database serving namingContext ""

We still have some old applications which are using empty search base and query
implicitly the union of o=A and o=B stored within the same ldbm database.

To maintain the backward compatibility we did a meta backend to merge the two local DITs
under suffit "".

The side effect of meta backend with ldap://localhost is the increase of the number
opened tcp connection to slapd which are eating "thread" connections for "nothing".
The number of "thread" in use is linked to the number of suffixmassage used in meta
backend (2 in our case). We want to try to avoid increasing by two the number of theads
in use to maintain the backward compatibility.

Do you know an alternative way to merge two local DITs without using meta backend ?
Can we use relay/ldap backend with rwm overlay instead of using meta backend ?

database        meta
suffix          ""
uri             "ldap://localhost/o=test1";
suffixmassage   "o=test1" "o=test1"
uri             "ldap://localhost/o=test2";
suffixmassage   "o=test2" "o=test2"


Thank you for your help.

Best Regards,
Guy Baconniere.



CURRENT CONFIG (slapd 2.1.x)
suffix ""
database ldbm
rootdn "cn=manager"
directory "/var/lib/ldap"
# o=test1, o=test2, cn=manager are stored within the same ldbm database

CURRENT LDAPSEARCH  (slapd 2.1.x)
ldapsearch -LLL -h localhost -p 389 -x -b '' -s one '(objectclass=*)' '1.1'
dn: o=test1
dn: o=test2
dn: cn=manager


TEST CONFIG WITH BACKWARD COMPATIBILITY (slapd 2.4.x)
database hdb
suffix "o=test1"
rootdn "cn=admin,dc=test3,dc=com"
directory "/var/lib/ldap/test1"
database hdb
suffix "o=test2"
rootdn "cn=admin,dc=test3,dc=com"
directory "/var/lib/ldap/test2"
database hdb
suffix "dc=test3,dc=com"
rootdn "cn=admin,dc=test3,dc=com"
directory "/var/lib/ldap/dc=test3,dc=com"
database relay
suffix "cn=manager"
overlay rwm
rwm-rewriteEngine on
rwm-suffixmassage "cn=manager" "cn=manager,o=admin"
rwm-normalize-mapped-attrs yes
database    meta
suffix          ""
uri             "ldap://localhost/o=test1";
suffixmassage   "o=test1" "o=test1"
uri             "ldap://localhost/o=test2";
suffixmassage   "o=test2" "o=test2"

LDAPSEARCH WITHOUT META BACKEND (slapd 2.4.x)
ldapsearch -LLL -h localhost -p 389 -x -b '' -s one '(objectclass=*)' '1.1'
No such object (32)

LDAPSEARCH WITH META BACKEND (slapd 2.4.x)
ldapsearch -LLL -h localhost -p 389 -x -b '' -s one '(objectclass=*)' '1.1'
dn: o=test1
dn: o=test2

OPENLDAP LOGS SHOWING THE LOCAL CONNECTIONS OF META BACKEND
slapd[29622]: conn=11 fd=37 ACCEPT from IP=127.0.0.1:33680 (IP=0.0.0.0:389)
slapd[29622]: conn=11 op=0 BIND dn="" method=128
slapd[29622]: conn=11 op=0 RESULT tag=97 err=0 text=
slapd[29622]: conn=11 op=1 SRCH base="" scope=1 deref=0 filter="(objectClass=*)"
slapd[29622]: conn=11 op=1 SRCH attr=1.1
slapd[29622]: conn=8 op=3 SRCH base="o=test1" scope=0 deref=0 filter="(objectClass=*)"
slapd[29622]: conn=8 op=3 SRCH attr=1.1
slapd[29622]: conn=8 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[29622]: conn=9 op=3 SRCH base="o=test2" scope=0 deref=0 filter="(objectClass=*)"
slapd[29622]: conn=9 op=3 SRCH attr=1.1
slapd[29622]: conn=9 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[29622]: conn=11 op=1 SEARCH RESULT tag=101 err=0 nentries=2 text=
slapd[29622]: conn=11 op=2 UNBIND
slapd[29622]: conn=11 fd=37 closed