1 |
Ah ,I wasn't aware I can make it that... Grainular (sp?). |
2 |
I may have a misunderstanding, but I think that since I'm doing virtual |
3 |
domains that I can't have my primary domain at the very time (IE: dc=domain, |
4 |
dc=com) and that I have to use the o=,c= method -- otherwise Postfix won't |
5 |
trickle down to find the correct domain. |
6 |
|
7 |
And thanks Robert for the links! I'll check them out! |
8 |
|
9 |
Kenny |
10 |
|
11 |
> -----Original Message----- |
12 |
> From: Paul Kölle [mailto:pkoelle@×××××.com] |
13 |
> Sent: Wednesday, June 15, 2005 2:42 PM |
14 |
> To: gentoo-server@l.g.o |
15 |
> Subject: Re: [gentoo-server] LDAP virtual server question |
16 |
> |
17 |
> Kenny Mann wrote: |
18 |
> > I'm planning on implementing LDAP (just to play -- I've |
19 |
> done the same |
20 |
> > in MySQL already) I'd like to do virtual hosting, which |
21 |
> would involve |
22 |
> > Apache and Postfix. |
23 |
> > For now, I'm researching the Postfix stuff. |
24 |
> > I have 'Deploying OpenLDAP by Tom Jackiewicz' and an |
25 |
> O'Reilly one as |
26 |
> > well, but they don't explain it in enough detai lthat I |
27 |
> understand it. |
28 |
> > I'm thinking I need to make the top container an |
29 |
> organization and add |
30 |
> > domains below that, but not 100% certain of how. |
31 |
> You can make a DIT of your own taste. There are now rules, |
32 |
> just conventions. The most common are o=<myorg>,c=<two letter |
33 |
> country code> and |
34 |
> dc=<firstdomaincomponent>,dc=<seconddomaincomponent>,dc=<tld> |
35 |
> and if you wish to have multiple TLDs in one tree add a |
36 |
> pseudo root like dc=dot. Your DIT can be (mostly) flat ore |
37 |
> nested and that will greatly influence the flexibility and |
38 |
> design of your server. Let me give you two |
39 |
> examples: |
40 |
> |
41 |
> 1. Nested |
42 |
> |
43 |
> dc=dot |
44 |
> |-dc=com,dc=dot |
45 |
> |-dc=net,dc=dot |
46 |
> |-domain=mydomain,dc=net,dc=dot |
47 |
> |-cn=user1,domain=mydomain,... |
48 |
> |
49 |
> As you can see, part of the information is held by the |
50 |
> structure itself, that is, if you like to move an user from |
51 |
> domain1 to domain2 you need to delete the DN with all its |
52 |
> attributes and possible subbranches (which might be painful), |
53 |
> and readd to another branch (this is slow as well, but won't |
54 |
> happen often normally). You can search for this user simply |
55 |
> by a filter like: |
56 |
> |
57 |
> (&(objectClass=posixAccount)(cn=user1)) |
58 |
> |
59 |
> 2. Flat |
60 |
> |
61 |
> dc=domaininfo,dc=myorg,dc=whatever |
62 |
> |-ou=domainusers,dc=domaininfo,... |
63 |
> |-cn=user1,ou=domainusers,... |
64 |
> |-cn=user2,ou=domainusers,... |
65 |
> |-cn=user3,ou=... |
66 |
> |
67 |
> In this case, the information to which specific domain a user |
68 |
> belongs is held in the entry itself like so: |
69 |
> |
70 |
> cn=user1+domain=mydomain.org,ou=domainusers,dc=myorg,dc=whatever |
71 |
> objectClass: posixAccount |
72 |
> objectClass: domain |
73 |
> domain: mydomain.org |
74 |
> cn: user1 |
75 |
> ... |
76 |
> ... |
77 |
> |
78 |
> Note the multivalued RDN to uniquely identify users and allow |
79 |
> the same username in different domains. The search filter |
80 |
> would look like: |
81 |
> |
82 |
> (&(objectClass=posixAccount)(cn=user1)(domain=mydomain.org)) |
83 |
> |
84 |
> > The question I have is can someone point me a direction as |
85 |
> to where I |
86 |
> > can learn the structure and meanings of the dc, ou, etc so I can |
87 |
> > figure out the layout of the DIT? |
88 |
> Get yourself a schema browser (gq, a gtk app, is nice) or |
89 |
> read the schema files in the /etc/openldap/schema directory. |
90 |
> |
91 |
> hth |
92 |
> Paul |
93 |
> |
94 |
> |
95 |
> |
96 |
> -- |
97 |
> gentoo-server@g.o mailing list |
98 |
> |
99 |
> |
100 |
|
101 |
|
102 |
|
103 |
-- |
104 |
gentoo-server@g.o mailing list |