OpenLDAP Proxy -- Introduction
OpenLDAP is an open source project which is intended to provide some commercial-grade, fully featured applications and development tools based on the well known Light-weight Directory Access Protocol(LDAP). Hence corporations which want to manage their user and group information can freely use these tools.
OpenLDAP provides ldap servers, ldap clients and corresponding tools to work on LDAP. The LDAP server is called slapd(Stand-alone LDAP daemon). And it would serve as the server which provides the capability of creating, updating and deleting organization, group and user information etc. In addition to this, it also provides another important capability -- proxy. This means it can serve as a proxy for LDAP client to contact different LDAP servers without knowing the details of those LDAP servers. This would be a great option if some LDAP server is behind some firewall and LDAP client cannot directly access it. Also it would be very useful if the organization wants to combine information from various LDAP servers so that it can be viewed as just one LDAP server.
In these series of posts, we would introduce the OpenLDAP proxy. The topics include different type of options of proxies, the proxy setup, enabling SSL of proxy, enabling simple authentication of proxy and attribute mapping of proxy.
- OpenLDAP Proxy -- Introduction
- OpenLDAP Proxy -- slapd.conf
- OpenLDAP Proxy -- Installation and configuration
- OpenLDAP Proxy -- Tricks and tips
In this post, we would first give a brief introduction of different options to create an OpenLDAP proxy.
The design of backend in OpenLDAP offers the possibility of setting up proxy. Each backend represents one specific source of directory information. The source would be some local store, database, remote LDAP server etc. Below is a list of available backends from OpenLDAP.
Among these backends, two of them are good candidates for proxy -- ldap and meta.
The slapd service may use slapd.conf as the configuration file for the service. In slapd.conf, one can define the type of backend and other options.
Backend ldap means that the directory information is from another remote LDAP server. Hence when a client is making some query to the proxy, the proxy will redirect the query to the corresponding remote LDAP server based on the base/suffix provided.
A ldap backend allows multiple entries of remote ldap servers. However, there will only be at most one remote LDAP server being searched in the list of remote LDAP servers configured. The high level architecture looks like.
Backend meta is another type of backend where multiple remote LDAP servers can be searched at the same time. It is built upon ldap backend but with some enhancements. A meta backend allows virtual naming context(base) which the client can use to query the LDAP proxy. With this, a client can query a combination of remote LDAP servers with a single query. The proxy will provide the mapping of the virtual naming context and the real base of each remote LDAP server through suffixmassage.
The high-level architecture of meta backend would be
From the slapd.conf, there is a suffix option after database meta, the suffix declares the virtual naming context(base) the client can use to query the proxy. Thereafter there is a suffixmassage option which defines the mapping between the virtual naming context and real base of the remote LDAP server.
The major difference between ldap backend and meta backend is that only one remote LDAP server would be searched for at the same time for ldap backend while multiple remote LDAP servers can be searched for at the same time for meta backend so that the result is accumulated by looping through each remote LDAP server.
In next few posts, we would introduce how to configure OpenLDAP proxy using slapd.conf and how to enable SSL and how to enable simple authentication using OpenLDAP proxy.