RE: Do DN's have to be rooted at country

["Luke Howard" <lukeh@xedoc.com.au>]

> Country does not have to be a part of the dn. Actually
> there's a movment
> out now to make dn's a bit more easier to understand (see
> rfc2377 which
> came out last month).

Yes, there are divergent opinions on how to name the root of your directory.
My perception is that it matters a lot less than it does with X.500, as LDAP
referrals can direct the client to an arbitary part of a server's DIT.

Here are some of the approaches that I've seen; note that I'm not addressing
the issue of how you publish the fact that your organization serves part of
the DIT. I'm sure X.500 die-hards will have something to add on this issue
:-)

1/ X.500 organization+country, e.g. o=Xedoc Software Development,c=AU. The
implication is that a naming authority grants you that part of the
namespace; I think in the US, it's the ANSI. In Australia, I believe that
(by virtue of having a registered company name) you can automatically
"claim" a part of the DIT.

2/ Variations on the X.500 theme, such as omitting the country and just
using the organization or using the organization's domainname as the
"organization" (eg. o=xedoc.com. IMHO this is wrong; I *think* the reason
some vendors recommended it related certificates requiring organizational
names). I think MS Exchange uses this (eg. o=Xedoc Software Development)
too.

3/ RFC 1279, mapping a DNS domain (eg. xedoc.com) to
dc=xedoc,dc=com,o=Internet.

4/ RFC 2247, essentially the same thing with the o=Internet dropped.

My personal preference is for the last option, particularly as it works
nicely with DNS SRV records to allow a client to find an LDAP server and
naming context once it knows its domain name. This approach is supported by
the nss_ldap module and NT 5.0, and it nicely leverages the distributed
nature of the DNS. (On the other hand, you can use DNS TXT records to
accomplish the same thing with non-DC names, as JNDI does.)

Just my 2c.



-- Luke