[Fedora-directory-users] Specifying an all-inclusive User directory subtree?
jclowser at unitedmessaging.com
Fri Jul 29 15:21:57 UTC 2005
Kevin Myer wrote:
> Quoting Jeff Clowser <jclowser at unitedmessaging.com>:
>> There is really no need to use the dc=k12,dc=pa,dc=us style tree - in
>> fact, in most cases I've set up, that was actually a bad choice. Sun
>> uses o=internet as a base under which to put a full dc tree (in their
>> 5.x messaging software), but even they are moving away from that,
>> because it doesn't work very well in a lot of cases (though it works
>> a lot better than st=pa,c=us type trees). If you really want to use
>> a domain based tree, build it under something like o=internet. (i.e.
>> dc=k12,dc=pa,dc=us,o=internet, etc) so there is a common root.
> I should have been more specific and stated that using a domain component
> approach to the tree layout was an initial assumption.
One thing I've seen is the following:
1. Create separate trees - i.e. dc-k12,dc=pa,dc=us, etc.
2. Then create another tree, such as o=isp, and under that, create
referals or chains for each of your "real" trees, so that you can search
the "forest" using o=isp, but have each tree stand alone.
Personally, I don't like this approach, because it has implications for
clients (do they follow referals?), aci's, and is just a mess to
maintain. I also prefer to only use referals/chains to split trees
across servers (if that's needed for delegation or scaling of services),
rather than to remap trees (I hate doing a search where the dn that gets
returned isn't under the tree I searched... But that's just me). KISS
is important :)
> What are the problems you've encountered using a domain based tree
> (dc=iu13,dc=org,o=internet), versus one where the domain is treated as an
> organization (o=iu13.org,o=internet), other than having a few more
> to type? Has thinking on using DC style tree's changed?
I wouldn't say thinking on dc style trees have "changed", so much as
there are different opinions out there :) . As far as I know, rfc2247
is the only rfc that defines a tree structure, but also as far as I
know, it is just saying "here is one way to build a tree", rather than
"here's the best/recommended way to build a tree". It's nice because it
mirrors DNS, another common directory service, but it isn't the best for
all cases. Other tree structures (i.e. o based) are just as valid,
depending on what your needs are. I believe the dc structure is the one
Microsoft uses in Active Directory, so a lot of people will say it's
"best" to use this to be able to interoperate more easily with Active
Directory. The directory server does not _require_ this structure by
any means - it's just the default suffix it offers.
As for the problems I've had - they are very similar to the problems you
are describing - if I have xyz.com and abc.org, how do I put them in a
common tree? I can't, unless I have a stub entry to root them under
(i.e. o=internet, etc). Most ldap enabled services/software (mail,
calendar, dns, etc) expect one tree to look for resources in. If you
create separate trees, you often have to deploy separate
servers/instances of servers for each, which is not efficient. If you
want to handle web or mail services for N domains, do you want to deploy
one server (or server cluster) to handle this, or do you want to have to
deploy/maintain n servers, each separately/differently configured?
Also, if you are hosting a dozen domains with 100 users in each, do you
want one server or a dozen under-utilized servers to maintain? This
just doens't scale well/efficiently using separate trees like this.
In any event, it is unwise to write applications that assume anything
about the data based on the structure of the tree (other than apps that
administer the data in ldap), so the tree structure _shouldn't_ matter
too much (yeah, I know, in an ideal world). A simple example of this:
say you have a mail server that receives mail for user joe at abc.org. It
looks in ldap only under dc=abc,dc=org. Sounds good, but what if the
organization has multiple domains - say abc.com and abc.org. Further,
joe receives email to joe at abc.org and joe at abc.com. Joe's login account
has to be under dc=abc,dc=org or dc=abc,dc=com - he can't be under both,
realistically. Sure, you could create his account under dc=abc,dc=org,
and create an alias under dc=abc,dc=com that redirects things to
joe at abc.org. However, now you have 2 entries that represent joe - if he
quits, you have to remember to clean up all these entries - putting all
this in one entry (say mail and mailalternateaddress if you use Sun's
mail server) means it's all in one place and easy to clean up. Also,
you probably have user accounts for the same organization under both,
maybe with aliases in the other. Also, you have to be careful as to
whether or not joe at abc.com and joe at abc.org are different users, or one
is an alias of the other. Also, if you are delegating administration
(say to multiple customers), segregating administration of domains using
this model gets complex or is limiting (i. no customer can have more
than one domain). All doable, but much more complex to keep track of.
If, on the other hand, you create o=abc.org,o=isp, and associate abc.com
and abc.org with that branch (Sun's messaging, for example, has domain
and associateddomain attributes in this entry to define the primary and
associated domains under this branch), and put all users with either
domain under that, things are nice and clean and organized.
On a similar note - even if the directory server allowed you to search
across all trees with a base of "", I'm guessing there's probably a lot
of client software out there that doesn't allow you to define a search
base of "".
Anyway, this is mostly just my opinion - take that for what it's worth :)
More information about the Fedora-directory-users