[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Existing AD, how to handle suffix for new OpenLDAP install?





--On Thursday, August 19, 2004 12:21 AM -0400 Jonathan Beasley <jon-openldap-software@1badpixel.com> wrote:

Hello!

We currently have an Active Directory (W2k) domain for our organization,
with a DNS domain name "Enterprise.federation"
So, Active Directory LDAP service has a naming context of
"dc=Enterprise,dc=federation"

We are moving our email services to qmail-ldap (good-bye Domino!), and I
am presently in the middle of installing an OpenLDAP (2.2.15) server on
one of my shiny, new IBM x335's (running Debian GNU/Linux Sarge 3.1).

Install went fine (well, eventually), but now I'm running into a question
that seems pretty straight-forward, but that I just cannot seem to locate
an answer for anywhere on the internet, or in my two LDAP books (LDAP
System Administration - Gerald Carter, and Implementing LDAP - Mark
Wilcox).  The closest I came to a solid answer was here:
http://www.zytrax.com/books/ldap/apa/ldap-root.html

Anyway, my question (finally, sorry) is concerning the 'suffix' setting in
slapd.conf.  The example in the file is:

suffix      "dc=my-domain,dc=com"

which, in my case, would seem to be:

suffix "dc=Enterprise,dc=federation"

It doesn't have to be that, no. It could be your domain name, which I thing is its intended purpose.


Like Stanford's is "dc=stanford,dc=edu" since we are the stanford.edu domain. (DC=Domain Component, IIRC).


"But," surmised I, "wouldn't that step on the toes of my Active Directory domain, since it is the very same LDAP naming context?"

Would it?

Not necessarily. Are they going to talk to each other?

Can they share the same suffix?

Probably not if they talk to each other.

Must the new OpenLDAP directory suffix be a subset of the AD LDAP suffix?

Not if they don't talk to each other.

e.g. -

suffix      "dc=openldap,dc=Enterprise,dc=federation"

If the OpenLDAP suffix must be a subset of the AD suffix, do I just
arbitrarily pick something for the name of the first domain component of
this new FQDN? The last two domain components are taken from my DNS
domain name.

Am I making this more difficult than it has to be? :)

I think so. But maybe not.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html