At Thu, 14 Jul 2005 12:28:56 +1000, Howard Lowndes wrote:
> I'm trying to get somewhere with setting up an LDAP database.
> The problem I am encountering is that all the examples that I can find
> assume the the top level has a dn: of the form dc=example,dc=com
> My problem is that I want a different top level, and I want my
> slapd.conf file to look like [o=myhosting example]
The DN is supposed to be *globally* unique. Hence everyone using some
sort of DNS name as the root of the data stored in their LDAP server.
(The older convention was o=Company Name,c=AU - but DNS names are
better in an internet age)
I really think you should rethink your base DN. Note that the DN has
very little to do with the actual data stored in that entry (or below
that point in the tree) - it just has to be unique.
> Thus far my layout works just fine, but when I come to add dcObjects I
> start to run into problems. An LDIF of:
>
> dn: dc=example,dc=com,o=myhosting
> objectClass: dcObject
> dc: example
>
> returns the following error:
> # ldapadd -x -D 'cn=manager,o=myhosting' -W -f myhosting.ldif
> adding new entry "dc=example,dc=com,o=myhosting"
> ldap_add: Object class violation (65)
> additional info: no structural object class provided
Thats because your objectclasses (only dcObject) are only "auxiliary"
classes that augment other "structural" objectclasses. You need at
least one structural objectclass for each LDAP entry. You might want
to consider using objectClass "domain" for these entries
(RFC1274/cosine).
> If I then expand this LDIF file to:
>
> dn: dc=example,dc=com,o=myhosting
> objectClass: dcObject
> dc: example
> objectClass: organizationalUnit
> ou: My Hosting
>
> I now get this error:
> # ldapadd -x -D 'cn=manager,o=myhosting' -W -f myhosting.ldif
> adding new entry "dc=example,dc=com,o=myhosting"
> ldap_add: No such object (32)
> matched DN: o=myhosting
> The question at this point is: What am I doing wrong here?
I think that error means you have to create dc=com,o=myhosting first.
> Now, let us consider setting up my database more like the examples.
> The questions here are:
>
> 1: Can I have more than 1 "database bdb" entry, say 1 for each of
> several disparate domains?
Yes, if you want. There isn't much reason to actually store the
separate domains in separate files however. I wouldn't do it unless I
had some technical reason to do so (large databases that want
different indexing or different backend implementations, for example).
> 2. If I can have more than 1 "database bdb" entry, can they all
> co-exist in the same directory path "/var/lib/ldap" or do they need
> separate directory paths "/var/lib/ldap/firstdomain",
> "/var/lib/seconddomain", etc?
It looks like it has to be separate directories.
> 3. Do the rootdn's have to match each dc= for its suffix or can it be
> quite different, and can I have a common rootdn for all domains?
You may specify a rootdn for each database. According to
slapd.conf(5), if the rootdn is outside the suffix ("namingContext"),
then the "rootpw" directive won't work.
The rootdn in OpenLDAP is like an LDAP superuser account. The most
secure way to use openldap is to never use the superuser account. You
can use openldap without specifying rootdn at all and enjoy finer
grained access controls.
> 4. I understand that multiple "database bdb" entries are permissible
> and apparently multiple suffix entries are permissible. Are
> multiple/multiples permissible?
yes (assuming I understand your question).
> 5. If multiple suffixes are permissible under any "database bdb"
> entry, then how is the following considered:
> suffix "dc=example,dc=com"
> suffix "dc=sitea"
> suffix "dc=siteb"
> Is the third line a subset of the second or of the first?
Neither is a subset of another in this example.
--
- Gus
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
