[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: namedref-00: manageDsaIt question
David Chadwick wrote:
>
> Date sent: Thu, 05 Aug 1999 11:58:45 -0700
> From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
> Organization: OpenLDAP <http://www.openldap.org/>
> To: d.w.chadwick@salford.ac.uk
> Subject: Re: namedref-00: manageDsaIt question
>
> > David Chadwick wrote:
> > >
> > > Date sent: Tue, 03 Aug 1999 17:57:13 -0700
> > > From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
> > > Organization: OpenLDAP <http://www.openldap.org/>
> > > To: d.w.chadwick@salford.ac.uk
> > > Copies to: ietf-ldapext@netscape.com
> > > Subject: Re: namedref-00: manageDsaIt question
> > >
> > > > Maybe I should give a another example.
> > > >
> > > > server M masters two naming contexts
> > > > "o=abc,c=us"
> > > > "ou=hq,o=abc,c=us"
> > >
> > > Kurt, this example is flawed, since you only have one naming
> > > context by definition. A naming context is defined as (quoting from
> > > X.501)
> > >
> > > A naming context is a subtree of the DIT, all entries of which have a
> > > common administrative authority and are held in the same master DSA.
> > > naming context starts at a vertex of the DIT (other than the root) and
> > > extends downwards to leaf and/or non-leaf vertices. Such vertices
> > > constitute the border of the naming context. The superior of the
> > > starting vertex of a naming context is not held in that master DSA.
> > >
> > > The last sentence above clearly points out that in your example you only
> > > have one naming context. Therefore if you want to present another
> > > correct example I will try to answer your questions.
> >
> > No. You assumed that the two contexts are under a common administrative
> > authority. They are masters by a common server, but each separate and
> > distinct administrative control. As such, they are two separate naming
> > contexts.
> >
>
> No, X500 differentiates between administrators of entries and
> administrators of DSAs (LDAP servers) and naming contexts.
My example was an LDAP based, not X.500 based. LDAP allows
single LDAP to operate over multiple DSAs. Each DSA can provide
multiple DITS, but in this case eash DSA is providing one DIT.
As such, the X.500 DSA/DIT rules are maintained for the DSA.
The problem is that I-D doesn't cover situations where a configuration
allowed by LDAP does not map well onto X.500.
> To give you an example of the former, company A has its DIT
> spread over six servers (one DIT administrator and six DSA
> administrators). To give you an example of the latter, suppose
> telecom supplier B runs an outsourcing directory service to orgs A
> and C. A and C administer their own DIT domains but both DIT
> domains are held in the same server and hence may be part of the
> same naming context, which is administered by B (two DIT
> administators and one DSA administrator).
The example I give has two seperate organizations with two seperate
DITS in two seperate DSAs sharing one LDAP server. I believe this
is allowed by LDAP specifications.