[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP proxy to dynamicly chosen server

Peter Mogensen wrote:

I have a scenario where I would like an LDAP proxy which looks at the base DN and generated a LDAP URI to proxy to dynamicly.
I have several 100.000 potential URIs and they change constantly, so hardwiring them in slapd.conf is not an option.

An search request arrives for this base "dc=host1,dc=mutex,dc=dk".
The proxy should proxy the request to:

... and so on for host2-<very high number> (no I don't have 200000 LDAP-servers but I have 200000 DNS entries to which server I do not kontrol the mapping)

I though I had to write a back-perl module, but I've been looking at slapd-meta and I see that it can rewrite to URIs:

"In case the rewritten DN is an LDAP URI,  the  operation  is  initiated
 towards  the  host[:port] indicated in the uri, if it does not refer to
 the local server"

That sentence belongs to a "white paper" that eventually evolved into a man page; unfortunately, items on a wish list seem to have slipped in. That feature has never existed, although it could be useful.

But I can't get this to work. slapd-meta insists on having a "uri" directive which doen't make sense in my scenario and if I add a dummy "uri" it seems to try to connect to that server.
There might of course be some idea in reusing TCP connectiontions and that would be nice, since in reality there's only 3-4 servers answering request, but they are identified by 3-400.000 DNS entries.

Am I missing something?
Is this possible with slapd-meta?
Or do I have to write a back-perl module?

In principle, you could use back-dnssrv to have requests turned into referrals based on DNS SRV entries (draft-ietf-ldapext-locate); the referrals could be automatically chased by an instance of slapo-chain(5). This requires your DNS to expose the DNS SRV for ldap regarding those servers that service each naming context you want to be mapped. Otherwise, I think the feature you need could be added in slapd-meta(5) somehow (and might be of general use). You could submit a feature request via the ITS <http://www.openldap.org/its/> (best accompanied by a patch :)


Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   ando@sys-net.it