You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have the exact same question and I struggled to find the answer.
From what I could gather, yes you could. Doing multiple domains with one common root would be easier (for example, multiple domain under .com (dc=com)).
But in the end, ldap is pretty flexible and I needed multiple TLDs.
So, what I did, is to create a TLD called multiverse, and under it, put different real-life TLDs.
I have:
dc=mydomain,dc=com,dc=multiverse
dc=clientdomain,dc=io,dc=multiverse
Then, you can just set your base DN to be dc=multiverse to search real TLDs as dc=clientdomain,dc=io without the need to add the dc=multiverse suffix.
I have the exact same question and I struggled to find the answer.
From what I could gather, yes you could. Doing multiple domains with one common root would be easier (for example, multiple domain under .com (dc=com)).
But in the end, ldap is pretty flexible and I needed multiple TLDs.
So, what I did, is to create a TLD called multiverse, and under it, put different real-life TLDs.
I have:
dc=mydomain,dc=com,dc=multiverse
dc=clientdomain,dc=io,dc=multiverse
Then, you can just set your base DN to be dc=multiverse to search real TLDs as dc=clientdomain,dc=io without the need to add the dc=multiverse suffix.
@dolanor , have you tried your method in the osixia docker image or directly on a system? Also, please could you help me with where exactly your changes are supposed to be made? I have been struggling with it for a long time.
Any help would be appreciated. :-)
God, I'm sorry I missed this call for help, @parthg13 . Yes I did it on the docker image. But it is mainly how you structure your LDAP hierarchy, actually.
What's your problem, @marinipete ?
Hey there, @dolanor . I was off for a while, let me detail the scenario.
I'm migrating a LDAP base an Oracle LDAP base to OpenLDAP, I'm using this image to dockerize the openLDAP. In the current Oracle's implementation, there is a **root ** parent DN, with that I can simply add as many suffixes under this root and It doesn't need to be specified in ldap queries, so it's transparente for the ldap clients.
Now, I'm trying to translate this to Openldap using this image, I've already inspect the startup.sh and it looks like the code expects only one string for LDAP_DOMAIN and LDAP_BASE_DN, I guess this could be altered by extending the image.
Now, from what I read about OpenLdap, it is a best practice to have different suffixes in diferente databases, however, I have one limitation right now that I use only one DNS for all my ldap suffixes, and since Oracle has this transparent root that I talked about, all ldap applications use this single DNS endpoint independently from the tree being queried (since it's not necessary to specify the root). I need to keep this that way, as having multiple DNS for different suffixes would require an update in a lot of applications.
Do you know if that's possible with OpenLDAP ?
I would appreciate any form kind of insight.
I must say that I didn't connect my DNS directly to this LDAP, so it doesn't generate DNS records for me. I was confused on how LDAP worked and how to deal with it.
So my DNS is handled manually with my registrar to point to the correct server IP address.
But on each domain, I can have many apps (eg. nextcloud) as a CN and a uniqueMember applied to it, and in it, I store the useful info (which user has access to this app for example). And in each app, I check this group uniqueMembers to see if this LDAP authentified user has access to this app.
Activity
dolanor commentedon Dec 9, 2017
I have the exact same question and I struggled to find the answer.
From what I could gather, yes you could. Doing multiple domains with one common root would be easier (for example, multiple domain under .com (dc=com)).
But in the end, ldap is pretty flexible and I needed multiple TLDs.
So, what I did, is to create a TLD called multiverse, and under it, put different real-life TLDs.
I have:
Then, you can just set your base DN to be dc=multiverse to search real TLDs as dc=clientdomain,dc=io without the need to add the dc=multiverse suffix.
parthg13 commentedon Apr 22, 2020
@dolanor , have you tried your method in the osixia docker image or directly on a system? Also, please could you help me with where exactly your changes are supposed to be made? I have been struggling with it for a long time.
Any help would be appreciated. :-)
marinipete commentedon Feb 3, 2022
@parthg13 I'm struggling with the same issue, have you figured this out ?
dolanor commentedon Feb 3, 2022
God, I'm sorry I missed this call for help, @parthg13 . Yes I did it on the docker image. But it is mainly how you structure your LDAP hierarchy, actually.
What's your problem, @marinipete ?
marinipete commentedon Feb 10, 2022
Hey there, @dolanor . I was off for a while, let me detail the scenario.
I'm migrating a LDAP base an Oracle LDAP base to OpenLDAP, I'm using this image to dockerize the openLDAP. In the current Oracle's implementation, there is a **root ** parent DN, with that I can simply add as many suffixes under this root and It doesn't need to be specified in ldap queries, so it's transparente for the ldap clients.
Now, I'm trying to translate this to Openldap using this image, I've already inspect the startup.sh and it looks like the code expects only one string for LDAP_DOMAIN and LDAP_BASE_DN, I guess this could be altered by extending the image.
Now, from what I read about OpenLdap, it is a best practice to have different suffixes in diferente databases, however, I have one limitation right now that I use only one DNS for all my ldap suffixes, and since Oracle has this transparent root that I talked about, all ldap applications use this single DNS endpoint independently from the tree being queried (since it's not necessary to specify the root). I need to keep this that way, as having multiple DNS for different suffixes would require an update in a lot of applications.
Do you know if that's possible with OpenLDAP ?
I would appreciate any form kind of insight.
dolanor commentedon Mar 14, 2022
I would say it is possible, as I do this myself.
I handle multiple domains with different TLDs.
As I said, my ldap tree is as is
I must say that I didn't connect my DNS directly to this LDAP, so it doesn't generate DNS records for me. I was confused on how LDAP worked and how to deal with it.
So my DNS is handled manually with my registrar to point to the correct server IP address.
But on each domain, I can have many apps (eg. nextcloud) as a CN and a uniqueMember applied to it, and in it, I store the useful info (which user has access to this app for example). And in each app, I check this group uniqueMembers to see if this LDAP authentified user has access to this app.