[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP control for multipile domains



> >>Well, the structure that you dislike so much is more than just "popular
> >>lately", it is a standards track RFC, i.e. RFC 2247.
> I have read RFC 2247 with great interest.  Unfortunately, it says
> --
> This document defines an algorithm by which a name registered with the
> Internet Domain Name Service [2] can be represented as an LDAP
> distinguished name.
> --
> But nowhere does it say *why*.  No benefits of the given
> "standard" are explained.  No explanation of what problem it is solving.
> The only explanation it gives is

What benefit does o=*,c=*, offer?

>The only time having a standard DN for a given company would be
>useful, as far as I can tell, is if you want your company's LDAP server
>to e part of some global searchable directory -- and thus would need a

Certainly.

>way to "algorithmically transform" a company's domain name into a DN.

No, your need a way to "algorithmically transform" all the time.
Automatic configuration (Zero Administration Networks) are much more
feasible when network configuration resides in a Dit and the client has
a universal method to discover the root.

>..and this would only be helpful if your company has a server
>that answers to your domain name and also answers LDAP requests --
>otherwise, you'd still need to know the DNS name or I.P. of the LDAP
>server anyway.

This can be discovered via SRV records.

>So I'm still left wondering what this standard is good for.  At
>least now I can contact the RFC authors directly and ask them (thanks
>again for the reference!).

Again,  what is o=*,c=* good for?  That standard provides no operational
benefits what-so-ever.

>>And dc=*,dc=* works with SRV records, where I can't see how o=*,c=*
>>would.
>Can you elaborate on this?  What is an SRV record?  This is (so
>far) the only benefit I've seen mentioned.

SRV records are "Service" records.  They provide via DNS (universally
supported) a way for clients to locate IMAP, LDAP, POP, SMTP, Kerberos,
services appropriate to them.

1. Client boots.
2. Client recieves an address via DHCP
3. Client recievers a hostname/domain from DHCP or does a reverse lookup
on the provides IP to determine it's domain.
4. Client looks for LDAP servers in DNS (SRV)
5. Client manifests search base from domain (dc=*,dc=*)
6. Client can now query the DSA and provide that information to any
applications it is hosting.  

If those applications use LDAP for their operation, how much effort did
you expend configuring the client?