On 12/10/12 12:20 +0200, Valentin Bud wrote:
Hello World,
I am using OpenLDAP for quite some time now, a few months. I have set up a simple directory following DNS, RFC2247, directory structure, `dc=company,dc=com`.
I use the directory to store POSIX accounts. Now I want to extend the directory to store application configuration, starting with Postfix virtual domains and maps. I would also like to store Kerberos principals in the future.
I would recommend lab'ing it up before committing to a design. If your domains are truly separate, in that you will have equipment dedicated to each domain, then your approach below makes since.
However, if you have a scenario where you have, say, an email server that you intend to support SMTP authentication, or relay, for several domains from one server, it may be difficult for all the various software pieces involved to fit the design.
Consider the scenario where 'jim' at 'compA.com' is requesting some resource. Postfix, sasl, heimdal/mit, your pam/nss ldap modules, will need to know how to convert that request to a filter of 'uid=jim' and a base of 'ou=people,dc=comA,dc=com'.
Another approach, and the one that I chose in my network, is to have a flat design:
uid=jim@compA.com,ou=people,dc=example,dc=com uid=jim@compX.net,ou=people,dc=example,dc=com
Which simplifies the configuration of all the various pieces.
This has one big drawback, in that some pam/nss modules don't like to see an '@' symbol in the uid, such as nssov and pam-nss-ldapd (although the latter now has a configurable option to support it).
You might also consider how you expect to provision users. Will one group of administrators provision new users, or will different groups provision users for different domains? In which case a separated DIT design may be easier to manage.
For now I have three companies I want to use OpenLDAP for. Each of this companies have part of the above services in their premises and in some datacenters. I would like to configure replication between the datacenter and the premise.
Maybe more companies will be added to the mix in the future. Do you think it would be safe to use an empty suffix "" and go with RFC2247 structure downwards?
" " | | + - - - - - - - - + - - - - - - - - + | | dc=net dc=com | | dc=compX + - - - - - - + - - - - - - + | | dc=compA dc=compB
I think this way it would be easy to replicate `dc=compA,dc=com` from the datacenter servers to the on-premise ones. Also this would keep things simple (?). Each company would get an `ou` for people and one for groups.
I would also want to add the fact that some directories will also be used to store Samba ID maps but I guess this makes no difference on how the directory in structured.
What do you people think about this approach? If some of you have some information on the topic of DIT Design please share so I can learn more.