1 |
Kenny Mann wrote: |
2 |
> I'm planning on implementing LDAP (just to play -- I've done the same in |
3 |
> MySQL already) |
4 |
> I'd like to do virtual hosting, which would involve Apache and Postfix. |
5 |
> For now, I'm researching the Postfix stuff. |
6 |
> I have 'Deploying OpenLDAP by Tom Jackiewicz' and an O'Reilly one as well, |
7 |
> but they don't explain it in enough detai lthat I understand it. |
8 |
> I'm thinking I need to make the top container an organization and add |
9 |
> domains below that, but not 100% certain of how. |
10 |
You can make a DIT of your own taste. There are now rules, just |
11 |
conventions. The most common are o=<myorg>,c=<two letter country code> |
12 |
and dc=<firstdomaincomponent>,dc=<seconddomaincomponent>,dc=<tld> and if |
13 |
you wish to have multiple TLDs in one tree add a pseudo root like |
14 |
dc=dot. Your DIT can be (mostly) flat ore nested and that will greatly |
15 |
influence the flexibility and design of your server. Let me give you two |
16 |
examples: |
17 |
|
18 |
1. Nested |
19 |
|
20 |
dc=dot |
21 |
|-dc=com,dc=dot |
22 |
|-dc=net,dc=dot |
23 |
|-domain=mydomain,dc=net,dc=dot |
24 |
|-cn=user1,domain=mydomain,... |
25 |
|
26 |
As you can see, part of the information is held by the structure itself, |
27 |
that is, if you like to move an user from domain1 to domain2 you need to |
28 |
delete the DN with all its attributes and possible subbranches (which |
29 |
might be painful), and readd to another branch (this is slow as well, |
30 |
but won't happen often normally). You can search for this user simply by |
31 |
a filter like: |
32 |
|
33 |
(&(objectClass=posixAccount)(cn=user1)) |
34 |
|
35 |
2. Flat |
36 |
|
37 |
dc=domaininfo,dc=myorg,dc=whatever |
38 |
|-ou=domainusers,dc=domaininfo,... |
39 |
|-cn=user1,ou=domainusers,... |
40 |
|-cn=user2,ou=domainusers,... |
41 |
|-cn=user3,ou=... |
42 |
|
43 |
In this case, the information to which specific domain a user belongs is |
44 |
held in the entry itself like so: |
45 |
|
46 |
cn=user1+domain=mydomain.org,ou=domainusers,dc=myorg,dc=whatever |
47 |
objectClass: posixAccount |
48 |
objectClass: domain |
49 |
domain: mydomain.org |
50 |
cn: user1 |
51 |
... |
52 |
... |
53 |
|
54 |
Note the multivalued RDN to uniquely identify users and allow the same |
55 |
username in different domains. The search filter would look like: |
56 |
|
57 |
(&(objectClass=posixAccount)(cn=user1)(domain=mydomain.org)) |
58 |
|
59 |
> The question I have is can someone point me a direction as to where I can |
60 |
> learn the structure and meanings of the dc, ou, etc so I can figure out the |
61 |
> layout of the DIT? |
62 |
Get yourself a schema browser (gq, a gtk app, is nice) or read the |
63 |
schema files in the /etc/openldap/schema directory. |
64 |
|
65 |
hth |
66 |
Paul |
67 |
|
68 |
|
69 |
|
70 |
-- |
71 |
gentoo-server@g.o mailing list |