On 4/23/06, Benno <[EMAIL PROTECTED]> wrote: > > I don't understand what you are trying to say here. I am aware of the > acroynm expansions and the meaning of the terms and my previous > statement stands as is. > > Specifically the base DN, that is the root of an information heirarchy > could be related to a server's DNS record, or, equally it could be > totally unrelated, or confusingly it could be related to a different > organisation's domain name. > > For example, some base DNs could be: (taken from > http://www.idevelopment.info/data/LDAP/LDAP_Resources/DEPLOY_Choosing_a_Base_DN.shtml) > > o="idevelopment", c=US > (base DN in X.500 format) >
This is covered by RFC 2256. This X.500 format originally used before the Internet. Translated to IETF format this should be 'dc=idevelopment,dc=com'. This organization has domain name 'idevelopment.com' in accordance with RTF 3663. > o=idevelopment.info > (base DN derived from the company's Internet presence) > Which RFC is this ? > dc=idevelopment, dc=info > (base DN derived from the company's DNS domain components) > OP (original poster) is using 'dc=idevelopment, dc=info' which you say is DN component derived from the company's DNS domain. This is RFC 3663. Since the DN used has domain component 'dc=example,dc=com' then the organization has Domain name of 'example.com'. Now as it turned out 'example.com' is active domain and belongs to someone else (#wohois example.com). So with 'HOST ldap.example.com' in ldap.conf of the client, which is #lapdadd -x -D "cn=Manager,cn=example,dc=com' will ask the authoritative DNS where to find 'ldap.example.com'. The client will be directed to an LDAP server 'ldap.example.com' if there is such a server. Since that server is not the intended server, it will return errors even when the DN and the password are right. Why is the 'ldapsearch -x ' returning an error ? This was the question. > The important thing that was being said when someone else in this > thread mentioned DNS and distinguished names, was that the ldap server > doesn't imply any information about domain names. (Although I guess it > wouldn't be unreasonable for it to imply this as dc stands for domain > component). In any case, there is no problem for my LDAP server, > whether conected to the internet or not, to store information about a > distinguished name 'dc=example,dc=com', regardless of whether > example.com exists, or whether I own it, or any such thing. > > Jamie originally wrote: > > "The bind DN and base DN have no relation to DNS except for > namespacing. It is perfectly fine to use dc=example,dc=org as a DN > during testing." > OP was using dc=example,dc=com and RFC 3663 says in this case the domain is example.com. You did not read RFC 3663. It will refer you to other related RFCs. Did you ? HTH. PG -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
