[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP proxy to dynamicly chosen server

To: Peter Mogensen <apm@mutex.dk>
Subject: Re: LDAP proxy to dynamicly chosen server
From: Pierangelo Masarati <ando@sys-net.it>
Date: Tue, 01 Jul 2008 22:54:19 +0200
Cc: openldap-software@openldap.org
In-reply-to: <486A0E4B.7070006@mutex.dk>
References: <486A0E4B.7070006@mutex.dk>
User-agent: Thunderbird 2.0.0.12 (X11/20080213)

Peter Mogensen wrote:

Hi,
I have a scenario where I would like an LDAP proxy which looks at the base DN and generated a LDAP URI to proxy to dynamicly. I have several 100.000 potential URIs and they change constantly, so hardwiring them in slapd.conf is not an option.
Example:
An search request arrives for this base "dc=host1,dc=mutex,dc=dk".
The proxy should proxy the request to:
ldap://host1.mutex.dk/dc=host1,dc=mutex,dc=dk/
... and so on for host2-<very high number> (no I don't have 200000 LDAP-servers but I have 200000 DNS entries to which server I do not kontrol the mapping)

I though I had to write a back-perl module, but I've been looking at slapd-meta and I see that it can rewrite to URIs:
"In case the rewritten DN is an LDAP URI,  the  operation  is  initiated
 towards  the  host[:port] indicated in the uri, if it does not refer to
 the local server"

That sentence belongs to a "white paper" that eventually evolved into a man page; unfortunately, items on a wish list seem to have slipped in. That feature has never existed, although it could be useful.

But I can't get this to work. slapd-meta insists on having a "uri" directive which doen't make sense in my scenario and if I add a dummy "uri" it seems to try to connect to that server. There might of course be some idea in reusing TCP connectiontions and that would be nice, since in reality there's only 3-4 servers answering request, but they are identified by 3-400.000 DNS entries.
Am I missing something?
Is this possible with slapd-meta?
Or do I have to write a back-perl module?

In principle, you could use back-dnssrv to have requests turned into referrals based on DNS SRV entries (draft-ietf-ldapext-locate); the referrals could be automatically chased by an instance of slapo-chain(5). This requires your DNS to expose the DNS SRV for ldap regarding those servers that service each naming context you want to be mapped. Otherwise, I think the feature you need could be added in slapd-meta(5) somehow (and might be of general use). You could submit a feature request via the ITS <http://www.openldap.org/its/> (best accompanied by a patch :)

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   ando@sys-net.it
-----------------------------------

Follow-Ups:
- Re: LDAP proxy to dynamicly chosen server
  - From: Peter Mogensen <apm@mutex.dk>

References:
- LDAP proxy to dynamicly chosen server
  - From: Peter Mogensen <apm@mutex.dk>

Prev by Date: Re: Meta backend
Next by Date: Re: ACL Help Please
Index(es):
- Chronological
- Thread