Date: 12-14-2015

The short answer is yes,

Referrals

OpenLDAP can take requests from applications that result in instructions to the application to look elsewhere; a referral. The application has to be prepared to accept referrals or a data response and needs appropriate credentials to access any directory server for which a referral might be returned. If a referral comes back, the application can retry the request on the suggested directory system.

Referrals were an important design element in the definition of the Directory Services Standards (X.500) and were carried over to the Lightweight Directory Access Protocol (LDAP). Large organizations may contain many smaller subdirectories, managed locally, that are of interest across all of the units. Referrals let applications ask the top-most parent directory where to find (by referral) the information they need.

Credential management is a significant issue in these types of systems because credentials for each referral target must be known to each application that makes use of them. Managing password aging and credential confidentiality can quickly become impractical, reducing the security of the overall system. As a result, such top-level, redirecting Directory Services are rare now. Also, as individual servers got more powerful, it was just easier to collapse highly related servers onto one central service or stitch the separate directories together using server-based chaining mechanisms such as OpenLDAP’s back-ldap or back-meta backends (see below).

Meta-Directories

In a meta-directory several directories are connected, giving the appearance of a single directory. OpenLDAP has two different backends that support this: back-ldap and back-meta. An overlay, remote-auth, can be used to create a directory server that authenticates its users from a remote LDAP server, allowing users to be managed in that remote LDAP server.

While very similar in design, back-ldap and back-meta differ in how they process search requests.  Upon receiving a search request, back-ldap will relay the search to just one remote directory and send the results back to the requesting client, whereas back-meta simultaneously fans the search out to multiple remote LDAP servers and sends the combined results back to the requesting application. For the designer, the choice of backend is based on the needs of the applications and the contents of the remote directory servers.

The remote-auth overlay lets an OpenLDAP directory server authenticate users (BIND) against another LDAPv3-compliant LDAP server, such as another OpenLDAP server or even an Active Directory (AD) server. One can consider this a form of meta-directory. remote-auth is often used in situations where users are managed in Active Directory but need to access content that is hosted in an OpenLDAP server. One example is for managing Linux system logins: the user's password is managed in AD and is transparently authenticated against via OpenLDAP. NOTE: an AD instance can also serve as an LDAP backend in a more traditional meta-directory way.

Virtual Directories

A virtual directory is one with not only LDAP data sources but also sources from other database types. OpenLDAP “has” several “backends” supporting this use case. OpenLDAP's performance is so much better than most other non-LDAP data stores that virtual directories are generally only used where high performance is not required.

Setting up a virtual directory with multiple backends handling different types of data store is complicated. Implementations will take longer to develop than LDAP-based meta-directories.