Hallvard B Furuseth wrote: > When we run an LDAP server for some other organizations, what base > DN should we recommend that they choose for their LDAP tree?
This is basically the same problem like running several LDAP servers within one company (e.g. MS AD and OpenLDAP or whatever). Generally I recommend to follow dc-style naming but with an additional level (sub-domain) reflecting each service name. To be sure talk to the DNS people to reserve the used sub-domain for this particular service. In some companies it might be hard to even register sub-domains though. You have to negotiate that with the DNS responsibles. Examples: msad.stroeder.com -> dc=ad,dc=stroeder,dc=com corpdir.stroeder.com -> dc=corpdir,dc=stroeder,dc=com With this approach you're totally flexible regarding referrals and SRV RRs and you avoid name clashes in advance. > The server host name will be under our domain, not theirs. (And the > server cert cannot contain name under their domain, so it will only > confuse matters if they create a CNAME under their domain which refers > to the server.) This does not have anything to do with the search root anyway. > dc=<their domain>,dc=no still seems the normally best choice. Doesn't > allow hostname/DN guessable from each other and won't work like intended > with DNS SRV records. Do you mean their FQDN as <their domain>? I'd not recommend this. > But it still avoids the need for administration > of names to avoid name conflicts with other organizations. Well, most times DNs are not handled alone. Most times you have all the information to form proper LDAP URLs. :-) > The one problem I see is if they intend to use "our" LDAP server for one > kind of clients (probably authentication) may set up some other public > LDAP server of their own. They may then (or some time later) want > referrals between the servers. A referral can change the DN of the > referred entry, but client support for such features vary. Frankly most of my customers don't even know about referrals. So referrals are really rarely used in the wild and this is rather academic. Client software capable of accessing multiple directories are capable of holding multiple LDAP configuration records. Usually the AD guys have to deal with the relationship of LDAP and DNS. But most other LDAP client software is not able to deal with SRV RRs. So you won't find them in corporate networks for anything else than AD. Ciao, Michael. -- Michael Ströder E-Mail: [EMAIL PROTECTED] http://www.stroeder.com --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
