The Version 6 CLI: First Steps With Directory Proxy
By mcraig on Mar 09, 2007
Once you start using multiple Directory Server replica, you realize it can become painful for LDAP client applications to keep track of all the host names and port numbers to contact each Directory Server instance. You may want to protect your Directory Server instances from direct access. You also probably want to balance LDAP client requests across your Directory Server instances. You may want to scale update capacity by using data distribution, or add a virtual directory front end to relational database content. Directory Proxy Server 6 makes all these jobs possible.
This entry shows you the most basic steps to getting a Directory Proxy Server instance running on your system, and answering requests for LDAP information in a directory behind the proxy. If you have not yet installed Directory Server Enterprise Edition 6.0 software, see Installing Directory Server Enterprise Edition 6.0.
To use Directory Proxy Server 6.0, there are a three key concepts you need to know. First, Directory Proxy Server lets you configure data views to the underlying data. Depending on the type of data view, you can see LDAP data behind the proxy exactly as it appears in Directory Server, or you can see a modified view with renamed DNs and attributes, or you can even see and LDAP representation of SQL data. Second, Directory Proxy Server attaches data views to data source pools. Data source pools consist of equivalent data sources, each of which can service an equivalent request. Third, the data sources are the configuration objects that hold information about the connections to actual sources of data, such as servers, databases, or LDIF files.
For this entry, I start with the Directory Server instance set up in The Version 6 CLI: Getting Started. The directory listens for LDAP requests on port 1389, and already contains sample data. (To keep things simple, I set up the proxy on the same host system, and so use a different port.) We can see entries in the directory with ldapsearch.
$ ldapsearch -p 1389 -b dc=example,dc=com uid=bjensen version: 1 dn: uid=bjensen, ou=People, dc=example,dc=com description: This is a new description. givenName: Barbara sn: Jensen telephoneNumber: +1 408 555 1862 ou: Product Development ou: People l: Cupertino roomNumber: 0209 mail: firstname.lastname@example.org uid: bjensen objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson facsimileTelephoneNumber: +1 408 555 1992 cn: Barbara Jensen cn: Babs Jensen
Creating a Directory Proxy Server Instance
With Directory Server Enterprise Edition 6.0 software installed, you can use the dpadm and dpconf commands to create and configure Directory Proxy Server 6.0. Creating a Directory Proxy Server instance is a two-step process.
First, you use dpadm create to create the proxy instance on the local file system. Here, I use port 2389 for LDAP and port 2636 for LDAP/SSL. If the proxy is the LDAP access point for client applications, you may want to use the defaults, 389 for LDAP and 636 for LDAP/SSL.
$ dpadm create -p 2389 -P 2636 /local/dps Choose the Proxy Manager password: Confirm the Proxy Manager password: Use 'dpadm start /local/dps' to start the instance
Second, you use dpadm start to start Directory Proxy Server so you can configure the proxy.
$ dpadm start /local/dps ... Directory Proxy Server instance '/local/dps' started: pid=26315
After you start the newly created proxy, it can respond to LDAP requests. But the newly created instance cannot send requests to any data sources, yet.
Proxying for Directory Server
In order for the server instance to work as a proxy, you must configure a data source, a data source pool, and a data view. This may seem like overkill to proxy for one Directory Server instance. Keep in mind that most of the time a proxy accesses multiple data sources, in multiple data source pools, through multiple data views.
The following code excerpt shows how I create a data source pointing to the Directory Server instance listening on port 1389, a data source pool containing only that server, a data view into the data source pool. I have environment variables set as described in the Installation Guide so I do not have repeatedly to type port numbers and passwords.
$ dpconf create-ldap-data-source "My DS" localhost:1389 Certificate "CN=hostname:2389" presented by the server is not trusted. Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y $ dpconf create-ldap-data-source-pool "My Pool" $ dpconf attach-ldap-data-source "My Pool" "My DS" $ dpconf create-ldap-data-view "My View" "My Pool" dc=example,dc=com
Now I must enable the data source and restart the server for the connection from the proxy to the directory to work.
$ dpconf set-ldap-data-source-prop "My DS" is-enabled:true $ dpadm restart /local/dps Directory Proxy Server instance '/local/dps' stopped ... Directory Proxy Server instance '/local/dps' started: pid=26373
I must also assign a (load balancing) weight to the LDAP operation that I want to do. By default, no operations are routed from the proxy to the directory. The values used for LDAP operation weights only matter compared to each other. Here, I arbitrarily assign the value 100 to search operations. As long as I assign no other values, this only means that searches get routed from the proxy to the directory.
$ dpconf set-attached-ldap-data-source-prop "My Pool" "My DS" search-weight:100
At this point, the proxy is connected to the directory for LDAP searches. You can see that it works when I run the same search I ran against the directory earlier, this time on port 2389 where the proxy is listening.
$ ldapsearch -p 2389 -b dc=example,dc=com uid=bjensen version: 1 dn: uid=bjensen, ou=People, dc=example,dc=com description: This is a new description. givenName: Barbara sn: Jensen telephoneNumber: +1 408 555 1862 ou: Product Development ou: People l: Cupertino roomNumber: 0209 mail: email@example.com uid: bjensen objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson facsimileTelephoneNumber: +1 408 555 1992 cn: Barbara Jensen cn: Babs Jensen