[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Existing AD, how to handle suffix for new OpenLDAP install?

Jonathan Beasley <jon-openldap-software@1badpixel.com> writes:

> Hello!
> We currently have an Active Directory (W2k) domain for our organization, with a
> DNS domain name "Enterprise.federation"
> So, Active Directory LDAP service has a naming context of
> "dc=Enterprise,dc=federation"
> Anyway, my question (finally, sorry) is concerning the 'suffix' setting in
> slapd.conf.  The example in the file is:
> suffix      "dc=my-domain,dc=com"
> which, in my case, would seem to be:
> suffix      "dc=Enterprise,dc=federation"
> "But," surmised I, "wouldn't that step on the toes of my Active Directory
> domain, since it is the very same LDAP naming context?"
> Would it?
> Can they share the same suffix?
> Must the new OpenLDAP directory suffix be a subset of the AD LDAP suffix? e.g.
> -
> suffix      "dc=openldap,dc=Enterprise,dc=federation"
> If the OpenLDAP suffix must be a subset of the AD suffix, do I just arbitrarily
> pick something for the name of the first domain component of this new FQDN? The
> last two domain components are taken from my DNS domain name.
> Am I making this more difficult than it has to be? :)
> BTW - we are planning to use OpenLDAP for more than just the qmail-ldap
> installation.

Well, in a strict sense of distributed databases, the naming context
should be an extension of your companies root, in particular if you you
want to propagate hostname, service and naming context by DNS service
resource records.A suffix like ou=people,dc=enterprise,dc=federation,
would be more apropriate.

BTW, you might want to indulge into RFC2377, i have never heard of a
top level domain federation :-)


Dieter Klünter | Systemberatung
Tel.: +49.40.64861967
Fax : +49.40.64891521