[Date Prev][Date Next] [Chronological] [Thread] [Top]


Hello World,

I am using OpenLDAP for quite some time now, a few months. I have set up a simple
directory following DNS, RFC2247, directory structure,

I use the directory to store POSIX accounts. Now I want to extend the
directory to store application configuration, starting with Postfix
virtual domains and maps. I would also like to store Kerberos principals
in the future.

For now I have three companies I want to use OpenLDAP for. Each of this
companies have part of the above services in their premises and in some
datacenters. I would like to configure replication between the
datacenter and the premise. 

Maybe more companies will be added to the mix in the future. 
Do you think it would be safe to use an empty suffix "" and go with
RFC2247 structure downwards?

                          " "
         + - - - - - - - - + - - - - - - - - +
         |                                   |
       dc=net                              dc=com
         |                                   |
      dc=compX                 + - - - - - - + - - - - - - +
                               |                           |
                            dc=compA                     dc=compB

I think this way it would be easy to replicate `dc=compA,dc=com` from
the datacenter servers to the on-premise ones. Also this would keep
things simple (?). Each company would get an `ou` for people and one for

I would also want to add the fact that some directories will also be
used to store Samba ID maps but I guess this makes no difference on how
the directory in structured.

What do you people think about this approach? If some of you have some
information on the topic of DIT Design please share so I can learn more.

Thank you. Cheers and Goodwill,