[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: namedref-00: manageDsaIt question
Date sent: Thu, 05 Aug 1999 11:58:45 -0700
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
Organization: OpenLDAP <http://www.openldap.org/>
To: d.w.chadwick@salford.ac.uk
Subject: Re: namedref-00: manageDsaIt question
> David Chadwick wrote:
> >
> > Date sent: Tue, 03 Aug 1999 17:57:13 -0700
> > From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
> > Organization: OpenLDAP <http://www.openldap.org/>
> > To: d.w.chadwick@salford.ac.uk
> > Copies to: ietf-ldapext@netscape.com
> > Subject: Re: namedref-00: manageDsaIt question
> >
> > > Maybe I should give a another example.
> > >
> > > server M masters two naming contexts
> > > "o=abc,c=us"
> > > "ou=hq,o=abc,c=us"
> >
> > Kurt, this example is flawed, since you only have one naming
> > context by definition. A naming context is defined as (quoting from
> > X.501)
> >
> > A naming context is a subtree of the DIT, all entries of which have a
> > common administrative authority and are held in the same master DSA.
> > naming context starts at a vertex of the DIT (other than the root) and
> > extends downwards to leaf and/or non-leaf vertices. Such vertices
> > constitute the border of the naming context. The superior of the
> > starting vertex of a naming context is not held in that master DSA.
> >
> > The last sentence above clearly points out that in your example you only
> > have one naming context. Therefore if you want to present another
> > correct example I will try to answer your questions.
>
> No. You assumed that the two contexts are under a common administrative
> authority. They are masters by a common server, but each separate and
> distinct administrative control. As such, they are two separate naming
> contexts.
>
No. X500 differentiates between administrators of entries and
administrators of DSAs (LDAP servers) and naming contexts. The
text above is referring to DSA administrators not DIT administrators.
Since the entries are mastered in the same server they are
necessarily under the control of the same DSA administrative
authority, even though they may be controlled by separate DIT
(entry) administrators.
This is a fundamental difference between X.5OO and LDAP that I
have repeatedly tried to present e.g. to the access control people for
example. X.500 recognises that the distribution into naming contexts
ie distribution between servers, is totally independent of the
distribution of administrative control over entries. A single DIT
administrative domain may be spread between multiple servers
(naming contexts) or a single naming context may have multiple DIT
administrators.
To give you an example of the former, company A has its DIT
spread over six servers (one DIT administrator and six DSA
administrators). To give you an example of the latter, suppose
telecom supplier B runs an outsourcing directory service to orgs A
and C. A and C administer their own DIT domains but both DIT
domains are held in the same server and hence may be part of the
same naming context, which is administered by B (two DIT
administators and one DSA administrator).
Therefore you example is still flawed. It is still one naming context,
albeit administered by two separate DIT administrators
David
> Kurt
>
***************************************************
David Chadwick
IS Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351 Fax +44 161 745 8169
Mobile +44 790 167 0359
*NEW* Email D.W.Chadwick@salford.ac.uk *NEW*
Home Page http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500 http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string MLJ9-DU5T-HV8J
***************************************************