4

I am trying to setup an LDAP server from scratch on a CENTOS 7 server. I was able to install it properly, but when it came to configuring it I am a bit stuck on the initial part.

The thing is the company I am setting this up for has 3 domains like:

  • example.com
  • example.in
  • example-new.com

I am following this tutorial.

How is can I setup 3 different dc for a single LDAP server

Atish Goswami
  • 143
  • 1
  • 1
  • 4

1 Answers1

8

The answer to that is dependent on how you want to use the LDAP server.

  • If you want to have three complete separate LDAP trees, you would configure multiple databases in the cn=config configuration with the olcDatabase object type. Note that if you do it this way, you would need to setup a separate LDAP connection for each LDAP tree and you can't search for objects in other domains at all.
  • If you just want a logical separation, e.g. having separate mail accounts for each domain, you would just add a junction point at appropriate branches in the tree. Something like ou=example.com,cn=users,dc=example,dc=com and ou=example.in,cn=users,dc=example,dc=com where each cn would hold the users for a subdomain. Depending on your needs, you would have multiple such junction points, other options might be cn=groups,dc=example,dc=com or cn=sites,dc=example,dc=com. This way, you can either search for users in ou=example.com,cn=users,dc=example,dc=com and find only users for that domain or you can search more globally in cn=users,dc=example,dc=com and find all users.
  • A third approach is to have multiple subtrees,e.g. ou=example.com,dc=example,dc=com and ou=example.in,dc=example,dc=com and then have sub containers for actual objects like cn=users,ou=example.com,dc=example,dc=com. Note that while this approach offers better separation, it often turns out to be quite inefficient, as you now have to search the whole tree if you want to find an object in any of the domains.

An illustration:

  • Variant 1: 

    dc=example,dc=com
    cn=users
    cn=groups
------------------  Complete separation
dc=example,dc=in
    cn=users
    cn=groups

  • Variant 2

    dc=example,dc=com
    cn=users                <---- Junction point
        ou=example.com
            uid=alice
            uid=bob
        ou=example.in 
            uid=claire
    cn=groups               <---- Junction point
         ou=example.com
            cn=accounting
         ou=example.in
            cn=hr

  • Variant 3

    dc=example,dc=com 
    ou=example.com
        cn=users
        cn=groups
    ou=example.in
        cn=users
        cn=groups
Sven
  • 98,649
  • 14
  • 180
  • 226
  • Thanks for the explanation, really helped me a lot to understand the structure of the data. I am really new to LDAP :) – Atish Goswami Feb 03 '17 at 16:27
  • Is there no way to have a common root that doesn't imply choosing `dc=example,dc=com` over `dc=example,dc=in` Something like `dc=example,dc=com,o=commonroot`? So we could do `cn=users,o=commonroot` and use them in the tree in each domain `dc=example,dc=com,o=commonroot`. – Dolanor Nov 14 '17 at 11:19
  • @Dolanor: You can do quite a lot with things like referrals etc., but this depends on what you want to do specifically and I guess also on the LDAP implementation used and maybe even the client software - some stuff that nominally "supports LDAP" is quite inflexible with non-standard tree structures. – Sven Nov 14 '17 at 11:25
  • It is OpenLDAP, so I guess it follows the standard as much as it can. But again, I'm not knowledgeable in LDAP at all. What I want to do is to have an LDAP that enables me to have the same password on different services via LDAP directly (for smtp, imap, owncloud, gitea, etc) and that can act as background storage for coreos/dex (oauth2) to also do same password for multiple services. – Dolanor Nov 14 '17 at 14:10