[Date Prev][Date Next]
Re: LDAP proxy to dynamicly chosen server
Peter Mogensen wrote:
I have a scenario where I would like an LDAP proxy which looks at the
base DN and generated a LDAP URI to proxy to dynamicly.
I have several 100.000 potential URIs and they change constantly, so
hardwiring them in slapd.conf is not an option.
An search request arrives for this base "dc=host1,dc=mutex,dc=dk".
The proxy should proxy the request to:
... and so on for host2-<very high number> (no I don't have 200000
LDAP-servers but I have 200000 DNS entries to which server I do not
kontrol the mapping)
I though I had to write a back-perl module, but I've been looking at
slapd-meta and I see that it can rewrite to URIs:
"In case the rewritten DN is an LDAP URI, the operation is initiated
towards the host[:port] indicated in the uri, if it does not refer to
the local server"
That sentence belongs to a "white paper" that eventually evolved into a
man page; unfortunately, items on a wish list seem to have slipped in.
That feature has never existed, although it could be useful.
But I can't get this to work. slapd-meta insists on having a "uri"
directive which doen't make sense in my scenario and if I add a dummy
"uri" it seems to try to connect to that server.
There might of course be some idea in reusing TCP connectiontions and
that would be nice, since in reality there's only 3-4 servers answering
request, but they are identified by 3-400.000 DNS entries.
Am I missing something?
Is this possible with slapd-meta?
Or do I have to write a back-perl module?
In principle, you could use back-dnssrv to have requests turned into
referrals based on DNS SRV entries (draft-ietf-ldapext-locate); the
referrals could be automatically chased by an instance of
slapo-chain(5). This requires your DNS to expose the DNS SRV for ldap
regarding those servers that service each naming context you want to be
mapped. Otherwise, I think the feature you need could be added in
slapd-meta(5) somehow (and might be of general use). You could submit a
feature request via the ITS <http://www.openldap.org/its/> (best
accompanied by a patch :)
Ing. Pierangelo Masarati
OpenLDAP Core Team
via Dossi, 8 - 27100 Pavia - ITALIA
Office: +39 02 23998309
Mobile: +39 333 4963172