directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Enrique Rodriguez <>
Subject Re: DNS zones in the LDAP namespace
Date Fri, 30 Sep 2005 23:03:34 GMT
Me again,

I don't want to cloud my question too much, but I'd like to point out I 
have a similar issue with mapping Kerberos principals and realms to the 
DIT.  I'd like to come up with a common story for users.  I am currently 
putting Kerberos principals under:

dn: uid=erodriguez, ou=Users, dc=example,dc=com
objectclass: krb5Principal
objectclass: krb5KDCEntry

And the krb5kdc.schema has an objectclass 'krb5Realm' which I'm not using.


Enrique Rodriguez wrote:
> Hi,
> I am looking for help designing a default LDAP-DNS namespace.  I have 
> the DNS protocol provider largely working with basic record types SOA, 
> A, NS, CNAME, PTR, MX, and SRV.  I am currently serving zones using the 
> Active Directory-style ",ou=forward lookup 
> zones,ou=dns,ou=system."  This has been fine for testing, but I'm 
> wondering if anyone out there has experience in this area and would like 
> to provide feedback.
> I am wondering if it doesn't make more sense to put zones under domain 
> components [1] such as the suffix "dc=example,dc=com" or under 
> "ou=Zones,dc=example,dc=com" if that keeps things cleaner.  The 
> advantages I see here are a more intuitive layout and better support for 
> ACI and repl if the zone layout matches the DIT layout.  Sometimes I 
> think M$ does things specifically to make you buy more servers.  Imagine 
> that.
> So, to phrase this as a tighter question, let's say you have two DNS 
> zones, and  What would the LDAP namespace look 
> like and where/how would you place the SOA and A records?
> If I'm missing common knowledge, in books or RFCs, please feel free to 
> point that out.  I'm almost done "Understanding and Deploying LDAP 
> Directory Services" and I just started "LDAP Directories Explained: An 
> Introduction and Analysis" and I read 5 or so relevant RFCs.
> Of course I plan to make the zone layout configurable so both styles 
> above are supported using a configurable layer-of-indirection, but we 
> still need to ship something default.
> Enrique
> [1] RFC 2247 - Using Domains in LDAP/X.500 Distinguished Names

View raw message