[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP control for multipile domains

To: Derek Simkowiak <dereks@itsite.com>
Subject: Re: LDAP control for multipile domains
From: Adam Williams <awilliam@whitemice.org>
Date: 24 Nov 2002 09:13:39 -0500
Cc: post+openldap@macallister.grass-valley.ca.us, "OpenLDAP.org" <openldap-software@OpenLDAP.org>
In-reply-to: <Pine.LNX.4.33L2.0211231119030.2479-100000@dev.itsite.com>
Organization:
References: <Pine.LNX.4.33L2.0211231119030.2479-100000@dev.itsite.com>

> > What benefit does o=*,c=*, offer?
> 	Thanks for your reply.
> 	I had never proponed o=*,c=*.  My only observation was that in
> supporting multiple domains within my own LDAP server (using the LDAP
> server for authentication, mostly), splitting all domain names into their
> dc components was less convenient that keeping the entries whole.

Right.  We actually keep multiple domains in a single rooted Dit
(o=Morrison Industries,c=US), and alias dc=*,dc=* to it, and also use
relatedDomain attributes where necessary,  makes it much more
conveinient.  We are a mother administrative corporation with 13
children corporations, and people do move between them fairly
frequently.  Fortunately we don't need add/remove dc=*,dc=* very often
as we only buy/sell another corporation about once a year.  Once does
have to bounce the server.  We edit slapd.conf and then use at to have
"service slapd restart" at 4:00am which is pretty quite around here.

> > SRV records are "Service" records.  They provide via DNS (universally
> > supported) a way for clients to locate IMAP, LDAP, POP, SMTP, Kerberos,
> > services appropriate to them.
> This is very interesting.  If you have any references (RFCs, URLs,
> book titles, product names) I would greatly appreciate it.

ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf  (I wrote it :)  Actually
the some of best sources of SRV information is WinY2k administative
manuals as WinY2k/XPee really take advantage of SRV records. 
Unfortunately Open Source developers have been pretty clueless about
easing administrative issues and are only now coming around.

> In a recent project I spent a great deal of time setting up
> systems that constantly test the network, and take corrective action when
> problems are discovered.  Would that fall under the "Zero Administration
> Network" title?  Or does it apply only to automatic configuration of new
> clients?  How does it relate to security updates and test-group rollouts?

It could relate to all those things.  SRV records have priority elements
just like MX, so one can specify multiple STMP, POP, etc... servers in
an order of preference.

> (I'm not expecting answers, just looking for references -- I have
> previously only heard the term "Zero Administration Network" as a
> marketing term, like "Faster Internet" or "100% Secure".)

It isn't exactly zero,  and it is still maturing,  but it does help.

>>If those applications use LDAP for their operation, how much effort did
>>you expend configuring the client?

Almost none.  Select DHCP for interface configuration.

> So I can now qualify my initial observation: splitting up *all*
> entries which happen to be domain names seems rather purposeless.  I had
> made the mistake at the outset of splitting all of my entries (which
> happened to be domain names) into their dc components -- which was
> counterproductive to solving my problem.  It does not seem to me that RFC
> 2247 is recommending that practice anyhow, so my mistake was extending the
> dc=foo, dc=com examples I read about to every domain entry in my database.

I believe ADS uses dc=*,dc=* so it will probably becuase a pervasive
defacto standard.

References:
- Re: LDAP control for multipile domains
  - From: Derek Simkowiak <dereks@itsite.com>

Prev by Date: Re: Re: How to Force TLS/SSL connection Only ?
Next by Date: Re: How to Force TLS/SSL connection Only ?
Index(es):
- Chronological
- Thread