Best way to merge two local DITs vs empty search base suffix

2010-06-13 Thread Guy.Baconniere 
Hello,

We want to update our old OpenLDAP server from 2.1.x to 2.4.x but the current
configuration do not use a regular suffix (o=foo,c=bar nor dc=foo,dc=bar) but
use an empty suffix ().

We want to move away from empty suffix as we cannot use cn=monitor or any
additional suffixes as they can not bind when a suffix is in use in a hdb 
database :

suffix namingContext o=... already served by a preceding hdb database 
serving namingContext 

We still have some old applications which are using empty search base and query
implicitly the union of o=A and o=B stored within the same ldbm database.

To maintain the backward compatibility we did a meta backend to merge the two 
local DITs
under suffit .

The side effect of meta backend with ldap://localhost is the increase of the 
number
opened tcp connection to slapd which are eating thread connections for 
nothing.
The number of thread in use is linked to the number of suffixmassage used in 
meta
backend (2 in our case). We want to try to avoid increasing by two the number 
of theads
in use to maintain the backward compatibility.

Do you know an alternative way to merge two local DITs without using meta 
backend ?
Can we use relay/ldap backend with rwm overlay instead of using meta backend ?

databasemeta
suffix  
uri ldap://localhost/o=test1;
suffixmassage   o=test1 o=test1
uri ldap://localhost/o=test2;
suffixmassage   o=test2 o=test2


Thank you for your help.

Best Regards,
Guy Baconniere.



CURRENT CONFIG (slapd 2.1.x)
suffix 
database ldbm
rootdn cn=manager
directory /var/lib/ldap
# o=test1, o=test2, cn=manager are stored within the same ldbm database

CURRENT LDAPSEARCH  (slapd 2.1.x)
ldapsearch -LLL -h localhost -p 389 -x -b '' -s one '(objectclass=*)' '1.1'
dn: o=test1
dn: o=test2
dn: cn=manager


TEST CONFIG WITH BACKWARD COMPATIBILITY (slapd 2.4.x)
database hdb
suffix o=test1
rootdn cn=admin,dc=test3,dc=com
directory /var/lib/ldap/test1
database hdb
suffix o=test2
rootdn cn=admin,dc=test3,dc=com
directory /var/lib/ldap/test2
database hdb
suffix dc=test3,dc=com
rootdn cn=admin,dc=test3,dc=com
directory /var/lib/ldap/dc=test3,dc=com
database relay
suffix cn=manager
overlay rwm
rwm-rewriteEngine on
rwm-suffixmassage cn=manager cn=manager,o=admin
rwm-normalize-mapped-attrs yes
databasemeta
suffix  
uri ldap://localhost/o=test1;
suffixmassage   o=test1 o=test1
uri ldap://localhost/o=test2;
suffixmassage   o=test2 o=test2

LDAPSEARCH WITHOUT META BACKEND (slapd 2.4.x)
ldapsearch -LLL -h localhost -p 389 -x -b '' -s one '(objectclass=*)' '1.1'
No such object (32)

LDAPSEARCH WITH META BACKEND (slapd 2.4.x)
ldapsearch -LLL -h localhost -p 389 -x -b '' -s one '(objectclass=*)' '1.1'
dn: o=test1
dn: o=test2

OPENLDAP LOGS SHOWING THE LOCAL CONNECTIONS OF META BACKEND
slapd[29622]: conn=11 fd=37 ACCEPT from IP=127.0.0.1:33680 (IP=0.0.0.0:389)
slapd[29622]: conn=11 op=0 BIND dn= method=128
slapd[29622]: conn=11 op=0 RESULT tag=97 err=0 text=
slapd[29622]: conn=11 op=1 SRCH base= scope=1 deref=0 filter=(objectClass=*)
slapd[29622]: conn=11 op=1 SRCH attr=1.1
slapd[29622]: conn=8 op=3 SRCH base=o=test1 scope=0 deref=0 
filter=(objectClass=*)
slapd[29622]: conn=8 op=3 SRCH attr=1.1
slapd[29622]: conn=8 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[29622]: conn=9 op=3 SRCH base=o=test2 scope=0 deref=0 
filter=(objectClass=*)
slapd[29622]: conn=9 op=3 SRCH attr=1.1
slapd[29622]: conn=9 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[29622]: conn=11 op=1 SEARCH RESULT tag=101 err=0 nentries=2 text=
slapd[29622]: conn=11 op=2 UNBIND
slapd[29622]: conn=11 fd=37 closed

Re: Tool to covert from LDIF cn=config to slapd.conf?

2010-06-13 Thread Howard Chu 

Francis Swasey wrote:

On 6/9/10 3:32 PM, Quanah Gibson-Mount wrote:

slapd.conf is deprecated and will likely be removed in OpenLDAP 2.5.


Do all of the overlays support cn=config yet?  Last I remember, there
were still overlays that didn't work with cn=config.


If your memory is correct, you're welcome to submit patches.


I would rather that cn=config was working with everything for one entire
release before slapd.conf is removed to give those of us that depend on
those overlays a chance to migrate -- rather than a repeat of the forced
conversion to syncrepl before it was completely baked (which I for one
do not think has completely happened even now in 2.4.22).


All of the core overlays support cn=config.

You can always pull slurpd from CVS if you enjoy that sort of thing, no one 
put a gun to your head to force you in any direction.


--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: Best way to merge two local DITs vs empty search base suffix

2010-06-13 Thread Quanah Gibson-Mount 

--On Sunday, June 13, 2010 12:17 PM +0200 guy.baconni...@swisscom.com wrote:


Hello,

We want to update our old OpenLDAP server from 2.1.x to 2.4.x but the
current configuration do not use a regular suffix (o=foo,c=bar nor
dc=foo,dc=bar) but use an empty suffix ().

We want to move away from empty suffix as we cannot use cn=monitor or any
additional suffixes as they can not bind when a suffix is in use in a
hdb database :


You can do this just fine.  I do it in all my installs.  You simply need to 
declare them in the right order.  I.e., you must declare monitor, etc 
before the empty suffix.


--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration