[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: The general problem with multiple databases
At 03:00 PM 6/2/00 -0700, Terry Lambert wrote:
>Phil Dodderidge wrote:
>>
>> I am trying to partition my data into multiple databases
>> for ease of administration and I have run into a problem
>> with group access control across databases.
>>
>> I have something like the following in my slapd.conf
>>
>> ...
>> database ldbm
>> suffix "dc=domain,dc=com"
>> directory /usr/local/ldap/db
>> ......
>> database ldbm
>> suffix "ou=div1,o=company a,dc=domain,dc=com"
>> directory /usr/local/ldap/db/div1
>
>This begs the question of whether or not "dc=" naming
>shouldn't have explicit use of dots so that root references
>can be made
Root references are already possible. "dc=." refers to the
root. However, note, "dc=." should only be used if the
domain has no components. That is:
. <-> dc=.
example.net. <-> dc=example,dc=net
The latter is per RFC 2247. The former, hopefully, we be
added as a clarification in a subsequent revision. In that
clarification, it should be noted that 'dc=.' should only be
used to a form DN representing the root of the DNS tree.
That is, "dc=foo,dc=." is invalid and not necessary.
> suffix "dc=domain.,dc=com.,dc=."
Implementations should use RFC 2247 mapping of domains to
DNs.
>I expect that this would require changing the free referral
>service somewhat, but what do people think about this?
It would require a shitload more change than that. RFC 2247
naming is in fairly wide use.
>Right now, I can't have both:
>
> suffix "dc=foo,dc=com"
>
>and:
>
> suffix "dc=foo,dc=net"
>
>easily in one database without redirection through a
>referral server.
Same would be true for true with the addition of dc=..
That is, you still need glue between subordinates and
their common superior.
>Alternately, is anyone interested in working on a draft
>to define the interaction of DNS SRV records (which do not
>like to be used with a protocol without a per-protocol-RFC
>on the subject) with LDAP?
LDAPext WG already has an I-D on the subject.
http://www.ietf.org/internet-drafts/draft-ietf-ldapext-locate-02.txt
You are welcome to comment.
The "root" server is an "experimental" service based, in
part, upon this draft. We'll soon be publishing an separate
I-D, intended for publication as an "Experimental" RFC, describing
the service.
>In particular, it seems that it would be difficult to
>require clients to forage for the base DN.
I don't think it will be a MUST... but it should be RECOMMENDED
for both clients and servers. It's all rather straight forward
to implement.