Hallvard B Furuseth wrote: > > Michael Ströder writes: >> Generally I recommend to follow dc-style naming but with an additional >> level (sub-domain) reflecting each service name. To be sure talk to the >> DNS people to reserve the used sub-domain for this particular service. >> In some companies it might be hard to even register sub-domains though. >> You have to negotiate that with the DNS responsibles. >> >> Examples: >> msad.stroeder.com -> dc=ad,dc=stroeder,dc=com >> corpdir.stroeder.com -> dc=corpdir,dc=stroeder,dc=com >> >> With this approach you're totally flexible regarding referrals and SRV >> RRs and you avoid name clashes in advance. > > Cool idea, we'll suggest that one. We're already stealing name > administration from DNS, so push it right back there. > > Except, I'm not coming up with any good names for the "who knows what > it'll eventually be used for"-directory.
Finding good names is always a little bit difficult. And asking the customer is often also not helpful. :-/ > A common development will > likely be that it starts as an authentication directory with no public > read access, and existing directory entries later grow to be publicly > readable whitepages entries as well. "dc=ldap,dc=someorg,dc=no" seems a > bit spurious. Yes, avoid dc=ldap,[..]. I guess you're selling a product. Does your service have a unique product name? It certainly should have, maybe even registered as trade mark. And this could be the best choice for naming the sub-domain either. > In any case, it's the customers' problem what to use. We'll just give > them recommendations (including yours) and host whatever they say. Most times in projects I suggest a name based on some other local descriptor and ask the customer to think of a better name. Guess which choice goes to production... ;-) >> Usually the AD guys have to deal with the relationship of LDAP and DNS. >> But most other LDAP client software is not able to deal with SRV RRs. So >> you won't find them in corporate networks for anything else than AD. > > Yes, it was mostly a "just in case"-concern of mine. The advice I got > in a Microsoft group is that AD demands _ldap._tcp.<domain> for its own > use. That would mean the choice is between using Windows (with a normal > setup I guess) and having real LDAP SRV records. As said before that basically boils down to avoiding name clashes of your search root (based on DNS sub-domain) with any domain name used for AD. Many of my customers use example.net for their AD domains (guess MS consultants want to spread .NET with this domain naming approach) and example.com/example.de for their web space. Other approaches are out there as well (including use of a self-invented, inofficial top-level domain). Ciao, Michael. -- Michael Ströder E-Mail: [EMAIL PROTECTED] http://www.stroeder.com --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
