[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP control for multipile domains

> ice.com, snow.com sleet.com with ice being the main one. Could I set up the
> following:
> dc="ice" dc="com"
> dc="snow" dc="com" dc="ice" dc="com"
> dc="sleet" dc="com" dc="ice" dc="com"

	First: You can set up the your database however the hell you want.
Asking this question is like asking if you're allowed to create a
directory called "foo" on your hard drive.

	Second: The "dc=domain, dc=tld" layout has become popular lately
(I'm not sure but it may have something to do with some global directory
project), but I strongly recommend against it.

	Why?  Because it's difficult for apps that use LDAP to split a
domain into "dc=domain, dc=tld" searches.  For example, the Postfix SMTP
server will let you search for an email address in LDAP (to see if Postfix
should accept it, for example), and it offers the %u and %d (I think...
going off memory) macros for building a customized search filter for the
LDAP database.  If you have something like


	then you can use the %d to narrow your email address search to
that domain's sub-directory.  This allows you to use a simple schema like
posixAccount to store email users, because you can simple search on the
uid (login name, i.e., the 'dereks' in 'dereks@foo.com').  But if you have

dc=domain, dc=com

	Then you cannot search just that subdir for the given email
address.  The same is true when using different SASL realms, Apache
VirtualHosts with auth_ldap, or the courier IMAP server.

	Besides that, "dc=foo, dc=bar" is much harder to type than just
"foo.bar" and is the only place I've ever seen a domain name split into it
constituent components, outside of DNS.  Perhaps the use of LDAP for DNS
is where that tradition comes from.  In my opinion, it's a case of people
putting the technology before the people using it and that design should
only be used if it makes sense for the problem the LDAP server is trying
to solve.

	If somebody can offer an explanation, or list any benefits of such
a setup, I would very much like to hear them.  It seems to be the de facto
standard for all examples and default config files, and I'd like to know
why.  Running an OpenLDAP server for SMTP, IMAP, SASL, Apache auth, and
(soon) Outlook addressbooks, the dual "dc=" design seems greatly inferior
to simply listing the the complete domain name so that the apps can easily
build useful search filters.  (Besides that, many ISPs use your domain
name as your customer I.D., so if you're an ISP there's yet another reason
not to split it up into consituent parts.)

Derek Simkowiak