directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Enrique Rodriguez <>
Subject Re: DNS zones in the LDAP namespace
Date Sat, 01 Oct 2005 14:29:37 GMT

Regarding locating DNS zones and Kerberos realms in the DIT, I think I 
found the approach I'd like to take.  Basically, you can have zones and 
realms anywhere in the DIT.  The DNS protocol provider will find zones 
by searching with filter (|(objectClass=dcObject)(objectClass=domain)) 
and the Kerberos protocol provider will find realms by searching with 
filter (objectClass=krb5Realm).  objectClass'es dcObject and krb5Realm 
are AUXILIARY so you can put them anywhere.  You'll want objectClass set 
as an indexed attribute in your partition configuration.  This would 
replace the "layer-of-indirection" I mentioned, below.  Other than using 
these objectClass'es in your namespace, you will have to configure what 
partitions are "active" for zone and realm serving.  So, if you have 
more than one partition, the providers won't have to do any goofy 
rootDSE interrogation or unnecessary searching.  I'll wait until later 
this coming week to see if any of the more experienced namespace/schema 
folks have more feedback.


Enrique Rodriguez wrote:
> Me again,
> I don't want to cloud my question too much, but I'd like to point out I 
> have a similar issue with mapping Kerberos principals and realms to the 
> DIT.  I'd like to come up with a common story for users.  I am currently 
> putting Kerberos principals under:
> dn: uid=erodriguez, ou=Users, dc=example,dc=com
> ...
> objectclass: krb5Principal
> objectclass: krb5KDCEntry
> And the krb5kdc.schema has an objectclass 'krb5Realm' which I'm not using.
> Enrique
> Enrique Rodriguez wrote:
>> Hi,
>> I am looking for help designing a default LDAP-DNS namespace.  I have 
>> the DNS protocol provider largely working with basic record types SOA, 
>> A, NS, CNAME, PTR, MX, and SRV.  I am currently serving zones using 
>> the Active Directory-style ",ou=forward lookup 
>> zones,ou=dns,ou=system."  This has been fine for testing, but I'm 
>> wondering if anyone out there has experience in this area and would 
>> like to provide feedback.
>> I am wondering if it doesn't make more sense to put zones under domain 
>> components [1] such as the suffix "dc=example,dc=com" or under 
>> "ou=Zones,dc=example,dc=com" if that keeps things cleaner.  The 
>> advantages I see here are a more intuitive layout and better support 
>> for ACI and repl if the zone layout matches the DIT layout.  Sometimes 
>> I think M$ does things specifically to make you buy more servers.  
>> Imagine that.
>> So, to phrase this as a tighter question, let's say you have two DNS 
>> zones, and  What would the LDAP namespace look 
>> like and where/how would you place the SOA and A records?
>> If I'm missing common knowledge, in books or RFCs, please feel free to 
>> point that out.  I'm almost done "Understanding and Deploying LDAP 
>> Directory Services" and I just started "LDAP Directories Explained: An 
>> Introduction and Analysis" and I read 5 or so relevant RFCs.
>> Of course I plan to make the zone layout configurable so both styles 
>> above are supported using a configurable layer-of-indirection, but we 
>> still need to ship something default.
>> Enrique
>> [1] RFC 2247 - Using Domains in LDAP/X.500 Distinguished Names

View raw message