[Date Prev][Date Next] [Chronological] [Thread] [Top]

using a proxy/rewrite to obviate the need for a legacy suffix?


I'm a very recent subscriber to the list, though we've been happily using
OpenLDAP for years.  Our needs have been pretty pedestrian, so for us
OpenLDAP has never required much care and feeding, and hence I've
neglected to learn much beyond the basics.  Now I need some advice related
to multiple suffix support, and what we can do to lessen the pain.

We're currently using OpenLDAP 2.3.x, with a preferred suffix of

	suffix          "dc=nodak, dc=edu"

When we started with OpenLDAP way back in the day, we used

	suffix          "o=NDUS, st=North Dakota, c=US"

and unfortunately, we've had to keep that around for legacy (political)
reasons, so we're running 2.3.x with two suffix entries in our slapd.conf.
The information that's served is exactly the same, no matter which suffix
you use.  It's just two ways to get at the same information.

When we upgraded to OpenLDAP 2.3.x last year, I quickly discovered that
the new default of "back-bdb" was not an option for us, because it doesn't
support multiple suffix entries (unless you build it in a special way that
"degrades performance", according to the FAQ).  That means we had to
continue using back-ldbm abstracting bdb as our backend.

We would love to get with the program and switch to back-bdb.  Since we
unfortunately have to continue to provide two entry points (the FAQ
seems to use "naming contexts" as the nomenclature for the suffix), we're
looking at options for some kind of proxy/rewrite, so that requests that
come in for the older suffix get proxied/rewritten/mapped to our preferred

One of my coworkers has been doing some research into our options for
suffix rewriting, and it looks like we have at least two options:

Option #1:

database relay
suffix          "ou=<old suffix here>"
relay           "<new suffix here>" massage

Option #2:

database meta
suffix          "ou=<old suffix here>"
uri            "ldap://localhost/<old suffix here>"
suffixmassage  "<old suffix here>" "<new suffix here>"

Both "meta" and "relay" are experimental, so either one of them could be abandoned and become a dead end for us in the future.

We're leaning toward "relay", since this seems to be very close to what
it was designed to do.

Can anyone provide any hints, suggestions, or moral support on whether
we're heading in the recommended direction, or whether there's a better
way to obviate the need for our legacy suffix entry using some other
kind of rewriting?


Tim Mooney                                        Tim.Mooney@ndsu.edu
Information Technology Services                   (701) 231-1076 (Voice)
Room 242-J6, IACC Building                        (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164