[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: DN question?

On Fri, Nov 14, 2003 at 05:57:27PM -0500, Frank Swasey wrote:

> > In relation to this, I'm curious about ou/o vs. dc.  We use uid=x,
> > cn=accounts,dc=stanford,dc=edu for example, rather than uid=x,
> > ??=accounts,ou=stanford,o=edu.  What are the pros/cons?  Is there a
> > particular reason to use one syntax over the other?
> dc is what most people suggest these days because it makes it easier to
> convert a domain into a database to do searches against.  The older
> ou=/o= is from the X.500 specs.

The DC form certainly maps easily to DNS names. This can be very
convenient for some applications. The problem with it is that it is
not very helpful to people who want to do a 'white pages' search
but who do not already know the domain name of the organisation they
are looking for.

There are not many people trying to do this of course, largely because
LDAP did not support distributed directories in any meaningful way
until v3, and even now there are unsolved problems that need sorting
out before a global directory could be considered.

It is a shame that we have got into this state, as X.500 had
distributed operation in it from the start and LDAP has barely reached
the capability of the 1993 version of that standard. LDAP is no longer
simpler than X.500(1993) either :-( The PARADISE project had a
distributed directory covering hundreds of organisations and over a
million people using X.500 technology in 1992.

The naming issue that started this thread is independent of technology
though, and I would suggest always using a name that you can lay claim
to globally just in case you ever need to link up with another
directory. Thus, using the DC form (e.g. dc=stanford,dc=edu) is good if you
have authority over the stanford.edu domain. If you have less
authority, then add more dc= components to reflect the bit you do have
authority over. It is always worth considering adding an extra
component under your organisation's 'natural' DN so that you don't hog
the whole of the space that may be wanted for other views of the data
later on. Thus if you are installing LDAP to do login authentication
for a computing cluster you might go for something like

If you want to use a country-code top-level RDN (e.g. o=stanford,c=us)
then you need to find out what registry controls the top-level domain
of your choice and what their rules are. This is just the same as with
DNS really - you cannot go making up domain names under bits of the
DNS namespace that you do not control. Some countries have rules that
handle common cases very easily - for example the UK rules state that
any registered company can use its full company name *including the
Ltd or PLC or equivalent designators* as an org name directly under
c=GB. Thus my own company can use 'o=Skills 1st Ltd,c=gb' without
having to do anything to register it. This is too clumsy for some
organisations though so they may need to go through some registration
process (would you really want to use 'o=Leland Stanford Junior
University, l=CA, c=US'?)

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |