OpenLDAP ldap backend as a proxy

Ldap backend works as a proxy: when a client searches data, proxy forwards request to ldap servers with real data, which are served to client. This is useful for:

• high availability: ldap backend spots faulty servers and picks the first working in a list
• firewalling: clients connect to a single IP no matter how many ldap server are involved.

Before using ldap backend, you have to enable it: create a ldif named 'add_module_ldap.ldif' and apply with: sudo ldapadd -H ldapi:/// -Y EXTERNAL -f add_module_ldap.ldif

	dn: cn=module{1},cn=config
	objectClass: olcModuleList
	cn: module{1}
	olcModulePath: /usr/lib/ldap
	olcModuleLoad: back_ldap

view raw add_module_ldap.ldif hosted with ❤ by GitHub

Now you are ready to create to database by inserting the following ldif.

	dn: olcDatabase={1}ldap,cn=config
	objectClass: olcDatabaseConfig
	objectClass: olcLdapConfig
	olcDatabase: {1}ldap
	olcSuffix: dc=example,dc=org
	olcRootDN: cn=ldap-admin
	olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
	,cn=auth manage by * break
	olcAccess: {1}to * by * read
	olcDbStartTLS: start
	olcDbUri: "ldap://ldap1.example.org ldap://ldap2.example.org"

view raw ldap_db.ldif hosted with ❤ by GitHub

Now queries matching the basename "dc=example,dc=org" are forwarded to the first available server between ldap1.example.org or ldap2.example.org. The proxy might take some time to spot faulty server (maybe it has to wait for a timeout), but since the next call it forwards to the last used server, the first working one. Please note:

• the "allow all" acl is required because ldap backend perform authorization. A request is fulfilled if both the proxy and the data server allow it. Serious acl are supposed to be on the data server only (it helps sanity);
• remember to encrypt connection between proxy and data server with 'olcDbStartTLS: start'