[Pdns-users] LDAP backend notify capability

Fabian Fagerholm fabbe at paniq.net
Sat Jun 25 11:54:34 UTC 2005

Hi again,

On Mon, 2005-06-06 at 11:43 +0200, Norbert Sendetzky wrote:
> That's not that easy because LDAP doesn't support notifications to clients 
> AFAIK. Thus, there would only be the option to regularly scan for changes 
> which isn't my preferred method.
> If you know a more elegant way please let me know.

I've done some thinking and some digging. As you say, one option is to
regularly scan for changes, which is of course an ugly way. And you
rightly imply that the elegant and "correct" solution would be to have
the LDAP server notify the client of a change.

It seems that this is something that people have wanted before. I found
attempts to define a way to do this:

LDAP Persistent Search, an expired draft (?)

LDAP Client Update Protocol (LCUP), which has progressed into RFC3928:

Things seemed to clear up when reading the OpenLDAP Administrator's
Guide, particularly chapter 15 (LDAP Sync Replication) and some ideas
from chapter 16 (The Proxy Cache Engine). What if the Pdns LDAP backend
would cache the search result and receive a notification using the
methods described in this document? First I thought it would be OpenLDAP
specific, but it seems to relate to RFC3928 and RFC3384 and other
published material, and thus there are probably other LDAP servers that
implement it.

Anyway, this would mean that the LDAP backend would change quite
drastically. Perhaps even too much to call this another version of the
current software. It would no longer be a simple LDAP client using the
general LDAP search functions, but instead a specific-purpose LDAP Sync
Replication client. The usual things apply: it would require new code
and testing, but on the other hand it would provide some very nice
features such as reducing the load on the LDAP server and probably
speeding up DNS queries. Not to mention the possibility to implement DNS

Another option would be to use Sync Replication to just receive the
notification from the LDAP server and otherwise operate as now, but I
think that would not be taking full advantage of the features provided.

Of course all this is at a very high level, but it seems to be possible
at least with OpenLDAP. It would be nice if someone familiar with
different LDAP servers could check if they implement this functionality.

Norbert, what do you think?

Fabian Fagerholm <fabbe at paniq.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20050625/d5b8a6d8/attachment-0001.sig>

More information about the Pdns-users mailing list