[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP server location and DN->DNS mapping

To: IETF ldapext WG <ietf-ldapext@netscape.com>
Subject: Re: LDAP server location and DN->DNS mapping
From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
Date: Wed, 13 Dec 2000 14:42:22 -0800 (PST)
In-reply-to: <3A37D599.464D7428@salford.ac.uk>

On Wed, 13 Dec 2000, David Chadwick wrote:

> If the question is "given the domain name for an organisation, I need
> to find its LDAP server"

This is not the problem the ldapext-locate document is trying to solve.
Rather, it is solving the problem:  given a DN, how do I find (via the
DNS) an LDAP server that contains the entry with that DN.  It chooses
to solve that problem only for the class of DNs whose most significant
RDNs are of type DC.

> (note. if my original question is not the one that the X.521 guys are
> wanting to answer, then if they tell me what it is, I will see if that
> is answerable with a different solution)

Upon further discussion, the situation is stated like this.  Some
organizations have large deployments using traditional X.500 civil naming
(o=Example Corp, c=nu).  They also have issued X.509 certificates using
those names.  They are as aware as anyone of the absence of a worldwide
X.500 directory, and would like to take advantage of clients that can use
SRV records to locate LDAP servers given a DN (eg, the DN of a cert
issuer).  Adding directory contexts with DCs in them in lower levels of
their existing hierarchy they see as much easier and less disruptive than
establishing an entirely new naming hierarchy (while acknowledging that
DNs have to change in either case).  And based on this they ask what the
technical justification is for using the mapping specified in
ldapext-locate versus a looser mapping that would let them (as they see
it) transition more easily.  If the justification is "purity", or
attitudes of how naming hierarchies should be designed in practice, then
the assertion is that design of naming hierarchies should be left to
deployers.

> then I think the draft as it stands is just fine. An organisation using
> X.521 naming e.g. o=university of salford, c=gb, can still use the ID as
> it stands by creating a DC based alias entry for its organisation in its
> LDAP directory e.g. dc=salford, dc=ac, dc=uk and pointing this to its
> X.521 based organisation entry. The client can then use SRV records to
> find the TCP/IP address of the LDAP server and send a search request
> looking for david chadwick in the dc based organisation. The server will
> simply dereference the alias, map the dc organisation alias into the
> X.521 organisation and continue the search from there.

Hmm.  Do existing LDAP servers uniformly support this?  (not that it
answers the question on the table ...)

 - RL "Bob"

Follow-Ups:
- Re: LDAP server location and DN->DNS mapping
  - From: David Chadwick <d.w.chadwick@salford.ac.uk>

References:
- Re: LDAP server location and DN->DNS mapping
  - From: David Chadwick <d.w.chadwick@salford.ac.uk>

Prev by Date: Re: LDAP server location and DN->DNS mapping
Next by Date: Major Corporation Expands to the Web!
Index(es):
- Chronological
- Thread