Hi,
After more than a day of fiddling with it, I turn to you, the gurus ;)
I'm trying to create an OpenLDAP proxy that will talk to 2 OpenLDAP
servers, doing MirrorMode replication and using a floating IP so that I
can point all write queries to one and the same server. Those 2
MirrorMode servers are up and running and doing fine, but I can't figure
out how to make that proxy.
I'm running on Debian Bullseye (still "testing" at this moment), with
OpenLDAP 2.4.57, both on the backend servers and the proxy I'm trying to
make. I'm not using TLS yet, that's for later.
After installation, there's an (empty, of course) mdb database. I think
I should throw that away, but I'm not sure. The suffix in that database
is different than the one I need to proxy, so it's probably not a
problem to leave it there.
I have loaded the extra schemas that I use on the MirrorMode machines,
and loaded the backends ldap and meta, with LDIF files like this:
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: back_ldap.la
And fed that to slapd with
ldapmodify -Y EXTERNAL -h ldapi:/// -f <file>
I checked with ldapvi and saw both modules loaded. So far, so good.
Now I need to create the backend, and this is where I keep running into
problems. Although the use of slapd.conf has fallen from grace a long
time ago, every example I can find online only uses that. So I tried
creating one and adding it to the configuration with slaptest. This is
what I came up with:
backend meta
database meta
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw "super secret passwd"
uri "ldap://172.16.7.6/dc=example,dc=com";
readonly yes
acl-authcDN "cn=admin,dc=example,dc=com"
acl-passwd "super secret passwd"
uri "ldap://172.16.7.7/dc=example,dc=com";
readonly yes
acl-authcDN "cn=admin,dc=example,dc=com"
acl-passwd "super secret passwd"
uri "ldap://172.16.7.8/dc=example,dc=com";
readonly no
acl-authcDN "cn=admin,dc=example,dc=com"
acl-passwd "super secret passwd"
But when I try to convert that, I get an error:
# slaptest -f /root/proxybackend.conf -F /etc/ldap/slapd.d
6075bced /root/proxybackend.conf: line 1: <backend> failed init (meta)!
slaptest: bad configuration directory!
The information in the OpenLDAP Handbook is, well, lacking:
https://openldap.org/doc/admin24/backends.html#Metadirectory
I had hoped to find a way to create an LDIF file which I could add with
ldapadd, but I never came much further than this:
dn: olcDatabase=meta
objectClass: olcDatabaseConfig
objectClass: olcMetaConfig
olcDatabase: meta
olcSuffix: dc=example,dc=com
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: "super secret passwd"
which results in:
adding new entry "olcDatabase=meta"
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge
I'm pretty sure I need more lines in that, to begin with the URI lines
to point the proxy to the machines it needs to contact, but I couldn't
find the olcSomeThing syntax for them. I'm pretty good at searching, but
not so good at finding, unfortunately.
Can somebody give me a few hints please? I'm pretty sure I'm missing
something small here, but I'm stuck.
Kind regards,
Hans
