The Oracle LDAP implementation allows you to specify multiple directory servers in LDAP.ORA but this is for the sake of resilience only: it won’t try each one in turn when performing a lookup. This seems like it would be an incredibly useful thing to do; it would be a rare organization indeed that had managed to end up with one single directory tree that was the source of all truth. So much so in fact that Oracle will happily sell you a product for consolidating multiple directory services (one of which might be OID) into a single view.

It just so happens that I already have a simple RDBMS↔LDAP bridge (referred to an adapter in OVD terminology) which I have applied to two very different application databases so far (one on Oracle, one on MySQL using the relevant native clients), and the ocamldap library contains a client too, so in ~0.15 kLOC (again, hmm, all my useful OCaml programs seem to be around this so far) I have implemented a trivial server that:

1. Accept a bind from the “real” client, always return `SUCCESS, and store the credentials from the bind request in a Hashtbl associated with the connection_id.
2. Try each “real” LDAP server using the original credentials until finding the first match and simply pass that Search_result_entry record straight back to the client. By happy coincidence Ldap_funclient.search_s uses exactly the same protocolOp. My compliments to Mr Eric Stokes on his API designing skills 🙂
3. Finally accept the client’s next query if any and return Search_result_done and clean up the credentials and state cache

This adds ~20ms to the lookup in my development environment. There was only one quirk, which is that if an adapter returns `NO_SUCH_OBJECT in Search_result_done my server exits abruptly on LDAP_Failure, which is its defined behavior for anything other than `SUCCESS – so I modified the adapter code to return that instead, and in the event of there being no such object, skip straight to there bypassing returning any Search_result_entry records. This appears to work correctly with real clients too, so I am wondering if I’ve misunderstood the RFC.

Obviously I’m not doing “full schema and namespace translation services” like OVD, and I’m providing only simple lookups, none of the additional LDAP capabilities such as adding to and modifying the tree via the protocol, etc etc. Nevertheless, you can get a fair bit of what it does done in a couple of days and not very much code…