[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Design Help Requested

To: Stephen Anderson <stephena@HiWAAY.net>
Subject: Re: LDAP Design Help Requested
From: Stuart Lynne <sl@fireplug.net>
Date: Thu, 15 Apr 1999 11:59:53 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <Pine.OSF.4.10.9904150914280.27112-100000@fly.HiWAAY.net>; from Stephen Anderson on Thu, Apr 15, 1999 at 09:19:28AM -0500
References: <Pine.OSF.4.10.9904150914280.27112-100000@fly.HiWAAY.net>

On Thu, Apr 15, 1999 at 09:19:28AM -0500, Stephen Anderson wrote:
> I was hoping you guys could help me decide on a high level design for my
> openldap based system.
> 
> The place where I work is considering moving from ccMail to an SMTP/POP3
> based mail system.  The problem is loss of directory services.  So I piped
> up and mentioned LDAP.  So I now have to design an LDAP email directory
> service for our company.
> 
> My question is this, in our company we have several sites around the
> country.  Does anyone have any idea whether it would be better to
> implement the directory service as one LDAP database that's replicated to
> all the sites, or as seperate site specific databases that can contact
> each other.
> 
> the latter sounds better to me since the bulk of email is sent within a
> site, but I'm not sure how to implement the system such that users can
> seemlessly query remote site's LDAP servers for email addresses at other
> locations.  Oh, the client we are loking at using is either Outlook
> Express or Netscape's mail client.
> 
> Any ideas, thoughts,ruminations, or stories would be greatly appreciated.

1. You will find it simpler to have one directory that can be designated as
the master. Do all management and administrative functions here. Deploy
additional slave directories as required to handle load or reduce latency
and have the master directory replicated to them.

2. Pick a mail system that allows you to push mail around to various servers
based on some attribute in their directory entry. Exim for example is simple
to setup to do this. 

3. Modify a pop daemon (we like cucipop) to authenticate from a directory.
One simple method to do this is to collect the users login information and
password. Do an anonymous LDAP search to see if you can find an appropriate
entry. Then attempt to bind using that entries distinguished name and the
password the user supplied. 

It is not hard to support user@domain for both the MTA and pop server
allowing multiple virtual domains spread across multiple servers. This
allows scaling systems by adding additional mail servers or moving mail
closer to end users.

To virtualize the pop server you can either allocate virtual IP's and do
reverse DNS to get the destination IP name or have users enter user%domain
as their login name. Simply convert the % to @ before processing. [Newer
clients may allow user@domain, older clients strip the @domain off.] 

-- 
Stuart Lynne <sl@fireplug.net>      604-461-7532      <http://edge.fireplug.net>
PGP Fingerprint: 28 E2 A0 15 99 62 9A 00  88 EC A3 EE 2D 1C 15 68

References:
- LDAP Design Help Requested
  - From: Stephen Anderson <stephena@HiWAAY.net>

Prev by Date: Re: ldapsearch problems
Next by Date: Re: LDAP Design Help Requested
Index(es):
- Chronological
- Thread