On Mon, Jan 14, 2019 at 2:44 PM Zer0Cool <melin3...@gmail.com> wrote:
> Ok so from the responses it sounds like typically: > > ldap-user-base-dn: dc=mydomain,dc=com > ldap-search-bind-dn: cn=myuser,ou=user_ou,dc=mydomain,dc=com > > should be using the same DC entries but that: > > ldap-hostname: myserver./mydomain/./com/ > > could possibly be on another domain. > > However, it sounds like it theoretically possible they are not. > > I ask as I am working on a script in which currently all 3 are prompted for > and hand entered. I was wondering if I could reduce the amount prompted for > and assume the DC portions. > > In other words something like: > prompt for ldap-hostname > skip asking for ldap-user-base-dn (assume the same domain as ldap-hostname) > and then for ldap-search-bind-dn the user only enters > "cn=user_name,ou=user_ou" and assume the DC portions in the underlying > code. > > So far it sounds like the answer is that the majority of time this would be > a safe assumption but there could be instances in which they would differ. > If thats the case I can leave it as is and have it be fully entered and not > make assumptions. > I would say that, while it may be a "safe assumption" 51% ("majority") of the time, it is not a good assumption. There may be a variety of reasons that the DNS domain (mydomain.com) differs from the LDAP tree base dn (dc=mydomain,dc=com), and that you should prompt for each of them individually. As someone who administers a decent number of systems and has done so for 20-ish years, I can say that having to enter that information a couple of different times is preferable to not being given that option and having the system make assumptions about the environment that result in troubleshooting a bad configuration. You could try to derive the values and use those derived values as defaults, but still give the option to enter something different - that might be a good compromise between extra key strokes and environments that don't match your assumptions. -Nick