On Mon, Jan 14, 2019 at 2:44 PM Zer0Cool <melin3...@gmail.com> wrote:
> Ok so from the responses it sounds like typically:
>
> ldap-user-base-dn: dc=mydomain,dc=com
> ldap-search-bind-dn: cn=myuser,ou=user_ou,dc=mydomain,dc=com
>
> should be using the same DC entries but that:
>
> ldap-hostname: myserver./mydomain/./com/
>
> could possibly be on another domain.
>
> However, it sounds like it theoretically possible they are not.
>
> I ask as I am working on a script in which currently all 3 are prompted for
> and hand entered. I was wondering if I could reduce the amount prompted for
> and assume the DC portions.
>
> In other words something like:
> prompt for ldap-hostname
> skip asking for ldap-user-base-dn (assume the same domain as ldap-hostname)
> and then for ldap-search-bind-dn the user only enters
> "cn=user_name,ou=user_ou" and assume the DC portions in the underlying
> code.
>
> So far it sounds like the answer is that the majority of time this would be
> a safe assumption but there could be instances in which they would differ.
> If thats the case I can leave it as is and have it be fully entered and not
> make assumptions.
>
I would say that, while it may be a "safe assumption" 51% ("majority") of
the time, it is not a good assumption. There may be a variety of reasons
that the DNS domain (mydomain.com) differs from the LDAP tree base dn
(dc=mydomain,dc=com), and that you should prompt for each of them
individually. As someone who administers a decent number of systems and
has done so for 20-ish years, I can say that having to enter that
information a couple of different times is preferable to not being given
that option and having the system make assumptions about the environment
that result in troubleshooting a bad configuration.
You could try to derive the values and use those derived values as
defaults, but still give the option to enter something different - that
might be a good compromise between extra key strokes and environments that
don't match your assumptions.
-Nick
