[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP DIT Design

On 12/10/12 12:20 +0200, Valentin Bud wrote:
Hello World,

I am using OpenLDAP for quite some time now, a few months. I have set up a simple
directory following DNS, RFC2247, directory structure,

I use the directory to store POSIX accounts. Now I want to extend the
directory to store application configuration, starting with Postfix
virtual domains and maps. I would also like to store Kerberos principals
in the future.

I would recommend lab'ing it up before committing to a design. If your
domains are truly separate, in that you will have equipment dedicated to
each domain, then your approach below makes since.

However, if you have a scenario where you have, say, an email server that
you intend to support SMTP authentication, or relay, for several domains
from one server, it may be difficult for all the various software pieces
involved to fit the design.

Consider the scenario where 'jim' at 'compA.com' is requesting some
resource. Postfix, sasl, heimdal/mit, your pam/nss ldap modules, will need
to know how to convert that request to a filter of 'uid=jim' and a base of

Another approach, and the one that I chose in my network, is to have a flat


Which simplifies the configuration of all the various pieces.

This has one big drawback, in that some pam/nss modules don't like to
see an '@' symbol in the uid, such as nssov and pam-nss-ldapd (although the
latter now has a configurable option to support it).

You might also consider how you expect to provision users. Will one group
of administrators provision new users, or will different groups provision
users for different domains? In which case a separated DIT design may be
easier to manage.

For now I have three companies I want to use OpenLDAP for. Each of this
companies have part of the above services in their premises and in some
datacenters. I would like to configure replication between the
datacenter and the premise.

Maybe more companies will be added to the mix in the future.
Do you think it would be safe to use an empty suffix "" and go with
RFC2247 structure downwards?

                         " "
        + - - - - - - - - + - - - - - - - - +
        |                                   |
      dc=net                              dc=com
        |                                   |
     dc=compX                 + - - - - - - + - - - - - - +
                              |                           |
                           dc=compA                     dc=compB

I think this way it would be easy to replicate `dc=compA,dc=com` from
the datacenter servers to the on-premise ones. Also this would keep
things simple (?). Each company would get an `ou` for people and one for

I would also want to add the fact that some directories will also be
used to store Samba ID maps but I guess this makes no difference on how
the directory in structured.

What do you people think about this approach? If some of you have some
information on the topic of DIT Design please share so I can learn more.

Dan White