Setting Up multiple domain in LDAP server
The answer to that is dependent on how you want to use the LDAP server.
- If you want to have three complete separate LDAP trees, you would configure multiple databases in the
cn=config
configuration with theolcDatabase
object type. Note that if you do it this way, you would need to setup a separate LDAP connection for each LDAP tree and you can't search for objects in other domains at all. - If you just want a logical separation, e.g. having separate mail accounts for each domain, you would just add a junction point at appropriate branches in the tree. Something like
ou=example.com,cn=users,dc=example,dc=com
andou=example.in,cn=users,dc=example,dc=com
where eachcn
would hold the users for a subdomain. Depending on your needs, you would have multiple such junction points, other options might becn=groups,dc=example,dc=com
orcn=sites,dc=example,dc=com
. This way, you can either search for users inou=example.com,cn=users,dc=example,dc=com
and find only users for that domain or you can search more globally incn=users,dc=example,dc=com
and find all users. - A third approach is to have multiple subtrees,e.g.
ou=example.com,dc=example,dc=com
andou=example.in,dc=example,dc=com
and then have sub containers for actual objects likecn=users,ou=example.com,dc=example,dc=com
. Note that while this approach offers better separation, it often turns out to be quite inefficient, as you now have to search the whole tree if you want to find an object in any of the domains.
An illustration:
Variant 1:
dc=example,dc=com cn=users cn=groups ------------------ Complete separation dc=example,dc=in cn=users cn=groups
Variant 2
dc=example,dc=com cn=users <---- Junction point ou=example.com uid=alice uid=bob ou=example.in uid=claire cn=groups <---- Junction point ou=example.com cn=accounting ou=example.in cn=hr
Variant 3
dc=example,dc=com ou=example.com cn=users cn=groups ou=example.in cn=users cn=groups
Related videos on Youtube
Atish Goswami
Howdy! My name is Atish Goswami. I am a Web Developer (mainly working on PHP). I like web designing / development and anything in between. When I am not coding I spend my days with trying/experimenting in different areas of web development from back end programming (PHP, Django/Python, Ruby on Rails) to front end engineering (HTML, CSS, and jQuery/Javascript), user experience, server administration and visual design. I am an outsource enthusiast, and mainly like working with PHP frameworks like Cakephp, Laravel and CMS’s like Wordpress, Drupal.
Updated on September 18, 2022Comments
-
Atish Goswami almost 2 years
I am trying to setup an LDAP server from scratch on a CENTOS 7 server. I was able to install it properly, but when it came to configuring it I am a bit stuck on the initial part.
The thing is the company I am setting this up for has 3 domains like:
- example.com
- example.in
- example-new.com
I am following this tutorial.
How is can I setup 3 different dc for a single LDAP server
-
Atish Goswami over 7 yearsThanks for the explanation, really helped me a lot to understand the structure of the data. I am really new to LDAP :)
-
Dolanor over 6 yearsIs there no way to have a common root that doesn't imply choosing
dc=example,dc=com
overdc=example,dc=in
Something likedc=example,dc=com,o=commonroot
? So we could docn=users,o=commonroot
and use them in the tree in each domaindc=example,dc=com,o=commonroot
. -
FooBee over 6 years@Dolanor: You can do quite a lot with things like referrals etc., but this depends on what you want to do specifically and I guess also on the LDAP implementation used and maybe even the client software - some stuff that nominally "supports LDAP" is quite inflexible with non-standard tree structures.
-
Dolanor over 6 yearsIt is OpenLDAP, so I guess it follows the standard as much as it can. But again, I'm not knowledgeable in LDAP at all. What I want to do is to have an LDAP that enables me to have the same password on different services via LDAP directly (for smtp, imap, owncloud, gitea, etc) and that can act as background storage for coreos/dex (oauth2) to also do same password for multiple services.