[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP control for multipile domains

To: Derek Simkowiak <dereks@itsite.com>
Subject: Re: LDAP control for multipile domains
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 21 Nov 2002 13:43:50 +0100
Cc: Russell Premont <rpremont@intellistar.net>, OpenLDAP-software@OpenLDAP.org
In-reply-to: <Pine.LNX.4.33L2.0211201527430.26316-100000@dev.itsite.com>
Organization:
References: <Pine.LNX.4.33L2.0211201527430.26316-100000@dev.itsite.com>

ons, 2002-11-20 kl. 21:50 skrev Derek Simkowiak:

> 	Second: The "dc=domain, dc=tld" layout has become popular lately
> (I'm not sure but it may have something to do with some global directory
> project), but I strongly recommend against it.
> 
> 	Why?  Because it's difficult for apps that use LDAP to split a
> domain into "dc=domain, dc=tld" searches.  For example, the Postfix SMTP
> server will let you search for an email address in LDAP (to see if Postfix
> should accept it, for example), and it offers the %u and %d (I think...
> going off memory) macros for building a customized search filter for the
> LDAP database.  If you have something like
> 
> ou=domain.com
> 
> 	then you can use the %d to narrow your email address search to
> that domain's sub-directory.  This allows you to use a simple schema like
> posixAccount to store email users, because you can simple search on the
> uid (login name, i.e., the 'dereks' in 'dereks@foo.com').  But if you have
> 
> dc=domain, dc=com
> 
> 	Then you cannot search just that subdir for the given email
> address.  The same is true when using different SASL realms, Apache
> VirtualHosts with auth_ldap, or the courier IMAP server.

> 	If somebody can offer an explanation, or list any benefits of such
> a setup, I would very much like to hear them.  It seems to be the de facto
> standard for all examples and default config files, and I'd like to know
> why.  Running an OpenLDAP server for SMTP, IMAP, SASL, Apache auth, and
> (soon) Outlook addressbooks, the dual "dc=" design seems greatly inferior
> to simply listing the the complete domain name so that the apps can easily
> build useful search filters.  (Besides that, many ISPs use your domain
> name as your customer I.D., so if you're an ISP there's yet another reason
> not to split it up into consituent parts.)

Derek,

A very comprehensively composed argument.

However, I'd say that the conclusions are dependant on the client that
you use. Just to take one example, you mention Postfix as smtp server.
You say that it can't split up dc=domain,dc=com in such a way that it's
possible for Postfix to use normal email addresses. I chose Exim many
years ago and have gone with it ever since. I use Exim 4.10 in everyday
use to do just what you say isn't possible with Postfix - and cope with
system aliases, smtp AUTH, mail routing addresses, virtual domains and
an awful lot more. That's because Exim has been written to satisfy an
enormous number of people who have requested ultimate configurability.
Including extremely large ISPs, such as my own: Demon Internet.

Then again you mention Apache's auth_ldap. But there's nothing to stop
you using Apache/PHP for ldap authorization, using dc=domain,dc=com and
enabling a huge amount more besides.

Horses for courses. ldap's system of referrals was designed for global
directories, in which it simply carried on from x500. Your suggestion
would prohibit such use, IMHO.

Best,

Tony

-- 

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl

Follow-Ups:
- Re: LDAP control for multipile domains
  - From: Derek Simkowiak <dereks@itsite.com>

References:
- Re: LDAP control for multipile domains
  - From: Derek Simkowiak <dereks@itsite.com>

Prev by Date: Does a Slave-server needs to see a Master ?
Next by Date: Re: Does a Slave-server needs to see a Master ?
Index(es):
- Chronological
- Thread