Knowledge base - OpenLDAP
OpenLDAP als Proxy-Server
The Proxy Cache Engine
LDAP servers typically hold one or more subtrees of a DIT. Replica (or shadow)
servers hold shadow copies of entries held by one or more master servers.
Changes are propagated from the master server to replica (slave) servers using
LDAP Sync or slurpd(8). An LDAP cache is a special type of replica which holds
entries corresponding to search filters instead of subtrees.
The proxy cache extension of slapd is designed to improve the responseiveness
of the ldap and meta backends. It handles a search request (query) by first
determining whether it is contained in any cached search filter. Contained
requests are answered from the proxy cache's local database. Other requests
are passed on to the underlying ldap or meta backend and processed as usual.
E.g. (shoesize>=9) is contained in (shoesize>=8) and (sn=Richardson) is
contained in (sn=Richards*)
Correct matching rules and syntaxes are used while comparing assertions for
query containment. To simplify the query containment problem, a list of
cacheable "templates" (defined below) is specified at configuration time. A
query is cached or answered only if it belongs to one of these templates. The
entries corresponding to cached queries are stored in the proxy cache local
database while its associated meta information (filter, scope, base,
attributes) is stored in main memory.
A template is a prototype for generating LDAP search requests. Templates are
described by a prototype search filter and a list of attributes which are
required in queries generated from the template. The representation for
prototype filter is similar to RFC 2254, except that the assertion values are
missing. Examples of prototype filters are: (sn=),(&(sn=)(givenname=)) which
are instantiated by search filters (sn=Doe) and (&(sn=Doe)(givenname=John))
The cache replacement policy removes the least recently used (LRU) query and
entries belonging to only that query. Queries are allowed a maximum time to
live (TTL) in the cache thus providing weak consistency. A background task
periodically checks the cache for expired queries and removes them.
The Proxy Cache paper (http://www.openldap.org/pub/kapurva/proxycaching.pdf)
provides design and implementation details.
15.2. Proxy Cache Configuration
The cache configuration specific directives described below must appear after a
overlay proxycache directive within a "database meta" or database ldap
section of the server's slapd.conf(5) file.
15.2.1. Setting cache parameters
proxyCache <DB> <maxentries> <nattrsets> <entrylimit> <period>
This directive enables proxy caching and sets general cache parameters. The
<DB> parameter specifies which underlying database is to be used to hold cached
entries. It should be set to bdb, hdb, or ldbm. The <maxentries> parameter
specifies the total number of entries which may be held in the cache. The
<nattrsets> parameter specifies the total number of attribute sets (as
specified by the proxyAttrSet directive) that may be defined. The <entrylimit>
parameter specifies the maximum number of entries in a cachable query. The
<period> specifies the consistency check period (in seconds). In each period,
queries with expired TTLs are removed.
15.2.2. Defining attribute sets
proxyAttrset <index> <attrs...>
Used to associate a set of attributes to an index. Each attribute set is
associated with an index number from 0 to <numattrsets>-1. These indices are
used by the addtemplate directive to define cacheable templates.
15.2.3. Specifying cacheable templates
proxyTemplate <prototype_string> <attrset_index> <TTL>
Specifies a cacheable template and the "time to live" (in sec) <TTL> for
queries belonging to the template. A template is described by its prototype
filter string and set of required attributes identified by <attrset_index>.
An example slapd.conf(5) database section for a caching server which proxies
for the "dc=example,dc=com" subtree held at server ldap.example.com.
proxycache bdb 100000 1 1000 100
proxyAttrset 0 mail postaladdress telephonenumber
proxyTemplate (sn=) 0 3600
proxyTemplate (&(sn=)(givenName=)) 0 3600
proxyTemplate (&(departmentNumber=)(secretary=*)) 0 3600
index objectClass eq
index cn,sn,uid,mail pres,eq,sub
Knowledge base wurde zuletzt bearbeitet am 12.07.13 durch Frank