| 1 |
Ah ,I wasn't aware I can make it that... Grainular (sp?). |
| 2 |
I may have a misunderstanding, but I think that since I'm doing virtual |
| 3 |
domains that I can't have my primary domain at the very time (IE: dc=domain, |
| 4 |
dc=com) and that I have to use the o=,c= method -- otherwise Postfix won't |
| 5 |
trickle down to find the correct domain. |
| 6 |
|
| 7 |
And thanks Robert for the links! I'll check them out! |
| 8 |
|
| 9 |
Kenny |
| 10 |
|
| 11 |
> -----Original Message----- |
| 12 |
> From: Paul Kölle [mailto:pkoelle@×××××.com] |
| 13 |
> Sent: Wednesday, June 15, 2005 2:42 PM |
| 14 |
> To: gentoo-server@l.g.o |
| 15 |
> Subject: Re: [gentoo-server] LDAP virtual server question |
| 16 |
> |
| 17 |
> Kenny Mann wrote: |
| 18 |
> > I'm planning on implementing LDAP (just to play -- I've |
| 19 |
> done the same |
| 20 |
> > in MySQL already) I'd like to do virtual hosting, which |
| 21 |
> would involve |
| 22 |
> > Apache and Postfix. |
| 23 |
> > For now, I'm researching the Postfix stuff. |
| 24 |
> > I have 'Deploying OpenLDAP by Tom Jackiewicz' and an |
| 25 |
> O'Reilly one as |
| 26 |
> > well, but they don't explain it in enough detai lthat I |
| 27 |
> understand it. |
| 28 |
> > I'm thinking I need to make the top container an |
| 29 |
> organization and add |
| 30 |
> > domains below that, but not 100% certain of how. |
| 31 |
> You can make a DIT of your own taste. There are now rules, |
| 32 |
> just conventions. The most common are o=<myorg>,c=<two letter |
| 33 |
> country code> and |
| 34 |
> dc=<firstdomaincomponent>,dc=<seconddomaincomponent>,dc=<tld> |
| 35 |
> and if you wish to have multiple TLDs in one tree add a |
| 36 |
> pseudo root like dc=dot. Your DIT can be (mostly) flat ore |
| 37 |
> nested and that will greatly influence the flexibility and |
| 38 |
> design of your server. Let me give you two |
| 39 |
> examples: |
| 40 |
> |
| 41 |
> 1. Nested |
| 42 |
> |
| 43 |
> dc=dot |
| 44 |
> |-dc=com,dc=dot |
| 45 |
> |-dc=net,dc=dot |
| 46 |
> |-domain=mydomain,dc=net,dc=dot |
| 47 |
> |-cn=user1,domain=mydomain,... |
| 48 |
> |
| 49 |
> As you can see, part of the information is held by the |
| 50 |
> structure itself, that is, if you like to move an user from |
| 51 |
> domain1 to domain2 you need to delete the DN with all its |
| 52 |
> attributes and possible subbranches (which might be painful), |
| 53 |
> and readd to another branch (this is slow as well, but won't |
| 54 |
> happen often normally). You can search for this user simply |
| 55 |
> by a filter like: |
| 56 |
> |
| 57 |
> (&(objectClass=posixAccount)(cn=user1)) |
| 58 |
> |
| 59 |
> 2. Flat |
| 60 |
> |
| 61 |
> dc=domaininfo,dc=myorg,dc=whatever |
| 62 |
> |-ou=domainusers,dc=domaininfo,... |
| 63 |
> |-cn=user1,ou=domainusers,... |
| 64 |
> |-cn=user2,ou=domainusers,... |
| 65 |
> |-cn=user3,ou=... |
| 66 |
> |
| 67 |
> In this case, the information to which specific domain a user |
| 68 |
> belongs is held in the entry itself like so: |
| 69 |
> |
| 70 |
> cn=user1+domain=mydomain.org,ou=domainusers,dc=myorg,dc=whatever |
| 71 |
> objectClass: posixAccount |
| 72 |
> objectClass: domain |
| 73 |
> domain: mydomain.org |
| 74 |
> cn: user1 |
| 75 |
> ... |
| 76 |
> ... |
| 77 |
> |
| 78 |
> Note the multivalued RDN to uniquely identify users and allow |
| 79 |
> the same username in different domains. The search filter |
| 80 |
> would look like: |
| 81 |
> |
| 82 |
> (&(objectClass=posixAccount)(cn=user1)(domain=mydomain.org)) |
| 83 |
> |
| 84 |
> > The question I have is can someone point me a direction as |
| 85 |
> to where I |
| 86 |
> > can learn the structure and meanings of the dc, ou, etc so I can |
| 87 |
> > figure out the layout of the DIT? |
| 88 |
> Get yourself a schema browser (gq, a gtk app, is nice) or |
| 89 |
> read the schema files in the /etc/openldap/schema directory. |
| 90 |
> |
| 91 |
> hth |
| 92 |
> Paul |
| 93 |
> |
| 94 |
> |
| 95 |
> |
| 96 |
> -- |
| 97 |
> gentoo-server@g.o mailing list |
| 98 |
> |
| 99 |
> |
| 100 |
|
| 101 |
|
| 102 |
|
| 103 |
-- |
| 104 |
gentoo-server@g.o mailing list |
Archives