Ldap backend works as a proxy: when a client searches data, proxy forwards request to ldap servers with real data, which are served to client.
This is useful for:
- high availability: ldap backend spots faulty servers and picks the first working in a list
- firewalling: clients connect to a single IP no matter how many ldap server are involved.
Before using ldap backend, you have to enable it: create a ldif named 'add_module_ldap.ldif' and apply with: sudo ldapadd -H ldapi:/// -Y EXTERNAL -f add_module_ldap.ldif
Now you are ready to create to database by inserting the following ldif.
Now queries matching the basename "dc=example,dc=org" are forwarded to the first available server between ldap1.example.org or ldap2.example.org. The proxy might take some time to spot faulty server (maybe it has to wait for a timeout), but since the next call it forwards to the last used server, the first working one.
Please note:
- the "allow all" acl is required because ldap backend perform authorization. A request is fulfilled if both the proxy and the data server allow it. Serious acl are supposed to be on the data server only (it helps sanity);
- remember to encrypt connection between proxy and data server with 'olcDbStartTLS: start'
No comments:
Post a Comment