[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP control for multipile domains

To: Tony Earnshaw <tonni@billy.demon.nl>
Subject: Re: LDAP control for multipile domains
From: Derek Simkowiak <dereks@itsite.com>
Date: Thu, 21 Nov 2002 11:07:55 -0500 (EST)
Cc: Russell Premont <rpremont@intellistar.net>, <OpenLDAP-software@OpenLDAP.org>
In-reply-to: <1037882022.22391.42.camel@localhost>

> However, I'd say that the conclusions are dependant on the client that
> you use.

     Tony,
	Thank you for your response.

	Yes, it is entirely dependent on the clients you're using (of
course).  But my argument was that, having used a few likely LDAP clients,
the split on "dc"s was less convenient for me than keeping the domain
components together.

> Just to take one example, you mention Postfix as smtp server.
> You say that it can't split up dc=domain,dc=com in such a way that
> it's possible for Postfix to use normal email addresses.

	There may have been some miscommunication here; what I'm
specifically referring to is %u and %s macros in the Postfix config file,
and then using those as a simple way to split LDAP searches based on
domain of the incoming email recipients.  You can (of course) set up any
bind and base DN that you want, including using separate LDAP configs for
recipients, domains, aliases, uids, mailbox directories, anti-spam header
searches, etc.  Postfix is very flexible (esp. with regards to LDAP),
well-documented, very VERY easy to configure and administer, and securely
designed -- don't let my comments be viewed as a limitation in Postfix.
I couldn't be happier with Postfix (especially since I needed Maildir
support).

> Then again you mention Apache's auth_ldap. But there's nothing to stop
> you using Apache/PHP for ldap authorization, using dc=domain,dc=com and
> enabling a huge amount more besides.

	No, of course not; but if you need any kind of custom
authentication handler you can't simply use the requested servername
(which has already been parsed and put into the request object for you) if
you split your directory setup by domain component.  Again, not a
technical limitation, it's just extra work and complexity that makes a
"dc=domain, dc=tld" setup less convenient (seemingly without benefit).

	In short, it seems that the "dc=domain, dc=tld" is convenient and
sensible if you're using LDAP for DNS -- but not much else.  And yet, all
examples and docs I've found use that setup as the de facto convention.

	So as a newcomer to LDAP I originally set up my database that way,
thinking it was a "best practice", but in the end I found my setup to be
easier to administer when I abandoned that practice.  Thus, my curiosity
has been aroused: what is the reason for that convention, and does it have
any benefits?


--Derek

References:
- Re: LDAP control for multipile domains
  - From: Tony Earnshaw <tonni@billy.demon.nl>

Prev by Date: Re: No such object (32) ..., again
Next by Date: account balances
Index(es):
- Chronological
- Thread