I need to set up a local LDAP proxy cache which connects to our central Active Directory server. OpenLDAP Proxy Cache looks just like the thing. But following the manpages as closely as possible, I am not able to get it working.
I am able to proxy requests through localhost to the remote server, but they are not cached (or the cache not retrieved, at least).
The steps I made:
- Installed
openldap-servers
andopenldap-clients
packages - Created a
slapd.conf
config file (details below) - Created a directory for the proxy database and copied the default DB_CONFIG file there (details below)
- Ran
slapd -d -1
command to start the server - Queried the server using this command:
ldapwhoami -vvv -h localhost -D "CN=Melka Martin,OU=(...),DC=int,DC=ourdomain,DC=com" -x -w <password>
The result is success. But sniffing network trafic shows the query is pooled from the central LDAP server.
The slapd
output is pretty verbose, but it does at one point state
QUERY NOT ANSWERABLE
QUERY CACHEABLE
Alas, if it does get cached, it is never answered. Any ideas what can be wrong?
"cn=admin,dc=int,dc=ourdomain,dc=com"
is the DN of an admin user in the remote LDAP server. <something>
is his password.
slapd.conf
database ldap
suffix "dc=int,dc=ourdomain,dc=com"
rootdn "cn=admin,dc=int,dc=ourdomain,dc=com"
rootpw <something>
uri ldap://dc-04.int.ourdomain.com:389
overlay pcache
pcache hdb 100000 1 1000 100
pcacheAttrset 0 *
pcacheTemplate (sn=) 0 3600
pcacheBind (sn=) 0 3600 sub dc=int,dc=ourdomain,dc=com
cachesize 200
directory /var/lib/ldap
index objectClass eq
index cn eq,sub
DB_CONFIG
# $OpenLDAP$
# one 0.25 GB cache
set_cachesize 0 268435456 1
# Transaction Log settings
set_lg_regionmax 262144
set_lg_bsize 2097152
The verbose log output: http://pastebin.com/9s8HMg7d
Best Answer
Are you expecting to be cached the following query?
First of all I would change the templates to match the auth params:
(dn is distinguished name, sn is surname)
But I would be surprised if it worked. In fact, I am not sure
ldapwhoami
is the right tool to test this overlay. The man page talks aboutauthentication clients
, for examplenss_ldap
. You should beforehand configure it and observe which queries it performs, so you can mimic template, scope and base.