Search code examples
databaseldapopenldap

Multiple databases with same backend in OpenLDAP

I've been trying to setup an OpenLDAP installation for two domains and I've found out that to do such a thing, one has to set up two databases.

In my quest to do so, I've stumbled upon this stack overflow question which uses a second backend (bdb) to accomplish that, but unfortunately, OpenLDAP doesn't come with the bdb backend anymore, so I've been trying to set up a second database with the mdb backend but I haven't been able to.

The ldif file to create the database:

dn: olcDatabase=mdb2,cn=config
changetype: add
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDbDirectory: /var/lib/ldap2/
olcDatabase: mdb
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcLastMod: TRUE
olcSuffix: dc=domain2,dc=com
olcAccess: to attrs=userPassword by self write by anonymous auth by * none
olcAccess: to attrs=shadowLastChange by self write by users read
olcAccess: to * by users read
olcRootDN: cn=admin,dc=domain2,dc=com
olcRootPW: {SSHA}<HASH>

Executing the ldif returns: value of single-valued naming attribute 'olcDatabase' conflicts with value present in entry

Trying to swap olcDatabase: mdb for olcDatabase: mdb2 returns: Unrecognized database type (mdb2)

Is there any way to have two databases with the same backend in OpenLDAP?

Solution

  • Yes, but both entries need to use mdb as the base name. The cn=config backend uses an {x} index prefix to disambiguate multiple instances, so your config tree should look like this:

    dn: cn=config
  dn: olcDatabase={-1}frontend,cn=config
  dn: olcDatabase={0}config,cn=config
  dn: olcDatabase={1}mdb,cn=config
  dn: olcDatabase={2}mdb,cn=config
  dn: olcDatabase={3}mdb,cn=config

    Side note #1: bdb has been obsolete for much longer than mdb has existed – before LMDB introduction, the correct choice would have been hdb, the "hierarchical" variant of bdb.

    Side note #2: With "raw" LDAP (that is, without Active Directory or similar integrated systems), the base DN is an arbitrary value and doesn't need to be domain-related at all, e.g. it could just as well be named o=Ponies Inc. (i.e. traditional X.500 style instead of using "dc=" attributes).