Setting Up multiple domain in LDAP server

ldap domain-controller centos7 openldap
13,858

The answer to that is dependent on how you want to use the LDAP server.

  • If you want to have three complete separate LDAP trees, you would configure multiple databases in the cn=config configuration with the olcDatabase object type. Note that if you do it this way, you would need to setup a separate LDAP connection for each LDAP tree and you can't search for objects in other domains at all.
  • If you just want a logical separation, e.g. having separate mail accounts for each domain, you would just add a junction point at appropriate branches in the tree. Something like ou=example.com,cn=users,dc=example,dc=com and ou=example.in,cn=users,dc=example,dc=com where each cn would hold the users for a subdomain. Depending on your needs, you would have multiple such junction points, other options might be cn=groups,dc=example,dc=com or cn=sites,dc=example,dc=com. This way, you can either search for users in ou=example.com,cn=users,dc=example,dc=com and find only users for that domain or you can search more globally in cn=users,dc=example,dc=com and find all users.
  • A third approach is to have multiple subtrees,e.g. ou=example.com,dc=example,dc=com and ou=example.in,dc=example,dc=com and then have sub containers for actual objects like cn=users,ou=example.com,dc=example,dc=com. Note that while this approach offers better separation, it often turns out to be quite inefficient, as you now have to search the whole tree if you want to find an object in any of the domains.

An illustration:

  • Variant 1: 

    dc=example,dc=com
    cn=users
    cn=groups
------------------  Complete separation
dc=example,dc=in
    cn=users
    cn=groups

  • Variant 2

    dc=example,dc=com
    cn=users                <---- Junction point
        ou=example.com
            uid=alice
            uid=bob
        ou=example.in 
            uid=claire
    cn=groups               <---- Junction point
         ou=example.com
            cn=accounting
         ou=example.in
            cn=hr

  • Variant 3

    dc=example,dc=com 
    ou=example.com
        cn=users
        cn=groups
    ou=example.in
        cn=users
        cn=groups
Share:
13,858

Related videos on Youtube

Atish Goswami
Author by

Atish Goswami

Howdy! My name is Atish Goswami. I am a Web Developer (mainly working on PHP). I like web designing / development and anything in between. When I am not coding I spend my days with trying/experimenting in different areas of web development from back end programming (PHP, Django/Python, Ruby on Rails) to front end engineering (HTML, CSS, and jQuery/Javascript), user experience, server administration and visual design. I am an outsource enthusiast, and mainly like working with PHP frameworks like Cakephp, Laravel and CMS’s like Wordpress, Drupal.

Updated on September 18, 2022

Comments

  • Atish Goswami
    Atish Goswami almost 2 years

    I am trying to setup an LDAP server from scratch on a CENTOS 7 server. I was able to install it properly, but when it came to configuring it I am a bit stuck on the initial part.

    The thing is the company I am setting this up for has 3 domains like:

    • example.com
    • example.in
    • example-new.com

    I am following this tutorial.

    How is can I setup 3 different dc for a single LDAP server

  • Atish Goswami
    Atish Goswami over 7 years
    Thanks for the explanation, really helped me a lot to understand the structure of the data. I am really new to LDAP :)
  • Dolanor
    Dolanor over 6 years
    Is there no way to have a common root that doesn't imply choosing dc=example,dc=com over dc=example,dc=in Something like dc=example,dc=com,o=commonroot? So we could do cn=users,o=commonroot and use them in the tree in each domain dc=example,dc=com,o=commonroot.
  • FooBee
    FooBee over 6 years
    @Dolanor: You can do quite a lot with things like referrals etc., but this depends on what you want to do specifically and I guess also on the LDAP implementation used and maybe even the client software - some stuff that nominally "supports LDAP" is quite inflexible with non-standard tree structures.
  • Dolanor
    Dolanor over 6 years
    It is OpenLDAP, so I guess it follows the standard as much as it can. But again, I'm not knowledgeable in LDAP at all. What I want to do is to have an LDAP that enables me to have the same password on different services via LDAP directly (for smtp, imap, owncloud, gitea, etc) and that can act as background storage for coreos/dex (oauth2) to also do same password for multiple services.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

LDAP user authentication on CentOS 7: Permission denied
Change location where LDAP data is stored
Finding closest Domain Controller through LDAP
Installation OpenLDAP on CentOS 7
What are the other alternative to test a LDAP connection on linux machine
inetOrgPerson with member or memberOf?
Nested Group LDAP Search Filter
How to add rights to an user with olcAccess, in an OpenLDAP 2.4
I need to find out disabled users from ldap
Is there an LDAP standard group membership attribute for users?