Sun Java Communications Suite 5 Deployment Planning Guide

Benefits of a One-Tree DIT Structure

The main advantages to using the one-tree structure Schema 2 native mode are:

As illustrated in the following figure, in the two-tree structure, some nodes point directly to a node in the Organization Tree (using the attribute inetDomainBaseDN). Other nodes are aliased nodes, which instead of pointing directly to an Organization Tree node, point to another DC Tree node, using the aliasedObjectName attribute.

Figure 3–3 Two-Tree Aliasing With aliasedDomainName and inetDomainBaseDN

This diagram shows the two-tree LDAP with an aliasedObjectName
set up.

In the previous figure, in the DC Tree points to in the DC Tree using aliasedObjectName, and points to the like named node in the Organization Tree, using inetDomainBaseDN.

Furthermore, as shown in Figure 3–4, there could be one or more nodes in the DC Tree using inetDomainBaseDN to point directly to the same node in the Organization Tree. In this case, a “tie-breaker” attribute, inetCanonicalDomainName, is necessary on one of the DC Tree nodes to designate which is the “real” domain name (the domain where the mail actually resides and where the mail is routed).

Figure 3–4 Two-Tree Aliasing With inetCanonicalDomainName

This diagram shows the two-tree LDAP with two DC Tree
nodes pointing to the same Organization Tree node, using inetCanonicalDomainName.

By contrast, a one-tree structure contains only an Organization Tree, as shown in the following figure.

Figure 3–5 One-Tree Aliasing With associatedDomain

This diagram demonstrates the simplified way aliases
are handled in Sun ONE Schema, v.2.

In the one-tree structure, domain nodes in the Organization Tree contain all the domain attributes formerly found on the DC Tree. Each domain node is identified by the sunManagedOrganization object class and sunPreferredDomain attribute, which contains the DNS domain name. A domain node can also have one or more associatedDomain attributes, which list the alias names this domain is known by. Contrary to the two-tree structure, there are no duplicate nodes for the alias names.

A one-tree DIT structure is beneficial in how you partition data for organization-specific access control. That is, each organization can have a separate subtree in the DIT where user and group entries are located. Access to that data can be limited to users in that part of the subtree. This allows localized applications to operate securely.

In addition, for new deployments of Calendar Server or Messaging Server, a one-tree structure maps better to existing single-DIT LDAP applications.