| 1 |
Kenny Mann wrote: |
| 2 |
> I'm planning on implementing LDAP (just to play -- I've done the same in |
| 3 |
> MySQL already) |
| 4 |
> I'd like to do virtual hosting, which would involve Apache and Postfix. |
| 5 |
> For now, I'm researching the Postfix stuff. |
| 6 |
> I have 'Deploying OpenLDAP by Tom Jackiewicz' and an O'Reilly one as well, |
| 7 |
> but they don't explain it in enough detai lthat I understand it. |
| 8 |
> I'm thinking I need to make the top container an organization and add |
| 9 |
> domains below that, but not 100% certain of how. |
| 10 |
You can make a DIT of your own taste. There are now rules, just |
| 11 |
conventions. The most common are o=<myorg>,c=<two letter country code> |
| 12 |
and dc=<firstdomaincomponent>,dc=<seconddomaincomponent>,dc=<tld> and if |
| 13 |
you wish to have multiple TLDs in one tree add a pseudo root like |
| 14 |
dc=dot. Your DIT can be (mostly) flat ore nested and that will greatly |
| 15 |
influence the flexibility and design of your server. Let me give you two |
| 16 |
examples: |
| 17 |
|
| 18 |
1. Nested |
| 19 |
|
| 20 |
dc=dot |
| 21 |
|-dc=com,dc=dot |
| 22 |
|-dc=net,dc=dot |
| 23 |
|-domain=mydomain,dc=net,dc=dot |
| 24 |
|-cn=user1,domain=mydomain,... |
| 25 |
|
| 26 |
As you can see, part of the information is held by the structure itself, |
| 27 |
that is, if you like to move an user from domain1 to domain2 you need to |
| 28 |
delete the DN with all its attributes and possible subbranches (which |
| 29 |
might be painful), and readd to another branch (this is slow as well, |
| 30 |
but won't happen often normally). You can search for this user simply by |
| 31 |
a filter like: |
| 32 |
|
| 33 |
(&(objectClass=posixAccount)(cn=user1)) |
| 34 |
|
| 35 |
2. Flat |
| 36 |
|
| 37 |
dc=domaininfo,dc=myorg,dc=whatever |
| 38 |
|-ou=domainusers,dc=domaininfo,... |
| 39 |
|-cn=user1,ou=domainusers,... |
| 40 |
|-cn=user2,ou=domainusers,... |
| 41 |
|-cn=user3,ou=... |
| 42 |
|
| 43 |
In this case, the information to which specific domain a user belongs is |
| 44 |
held in the entry itself like so: |
| 45 |
|
| 46 |
cn=user1+domain=mydomain.org,ou=domainusers,dc=myorg,dc=whatever |
| 47 |
objectClass: posixAccount |
| 48 |
objectClass: domain |
| 49 |
domain: mydomain.org |
| 50 |
cn: user1 |
| 51 |
... |
| 52 |
... |
| 53 |
|
| 54 |
Note the multivalued RDN to uniquely identify users and allow the same |
| 55 |
username in different domains. The search filter would look like: |
| 56 |
|
| 57 |
(&(objectClass=posixAccount)(cn=user1)(domain=mydomain.org)) |
| 58 |
|
| 59 |
> The question I have is can someone point me a direction as to where I can |
| 60 |
> learn the structure and meanings of the dc, ou, etc so I can figure out the |
| 61 |
> layout of the DIT? |
| 62 |
Get yourself a schema browser (gq, a gtk app, is nice) or read the |
| 63 |
schema files in the /etc/openldap/schema directory. |
| 64 |
|
| 65 |
hth |
| 66 |
Paul |
| 67 |
|
| 68 |
|
| 69 |
|
| 70 |
-- |
| 71 |
gentoo-server@g.o mailing list |
Archives