|
| |
| Sun Java System Communications Express 6 2005Q1 Administration Guide | |
Appendix C
Installing Communications Express without Messaging Server and using a Single Tree StructureAn existing Directory Information Tree should be mapped to the dual tree namespace to retrieve user/group entries, when you are installing Communications Express on a machine on which:
Two Tree Names Space Mechanism
The namespace of Directory should consist of two directory information trees (DIT), an Organization Tree and a Domain Component Tree (DC Tree). Organization Trees contain the user and group entries. The DC Tree mirrors the local DNS structure and is used by the system as an index to the Organization Tree(s) containing the data entries. The DC Tree also contains the domain’s operating parameters such as the service specific attributes.
How the Two-tree Namespace Mechanism Works
This section describes how Communications Express uses the two-DIT mechanism.
When Communications Express searches for user/group entries, it first looks at the user/group’s domain node in the DC Tree and extracts the value of the inetDomainBaseDN attribute. This attribute holds a DN reference to the organization subtree containing the actual user/group entry.
Using this model, Communications Express can support entries stored in any type of directory Tree, provided that a domain component node in the DC Tree points to the node in the Organization Tree under which the users for that domain can be found.
Why Two Directory Information Trees?
This dual-tree mechanism provides the following enhancements:
- The partitioning of data for organization-specific access control. That is, each organization can have a separate subtree in the DIT where user and group entries are located. Access to that data can be limited to users in that part of the subtree.
- The ability to have a distinct namespace for subdomains. For example, west.siroe.com and siroe.com may be mapped to separate organization subtrees allowing the creation of user entries with the same UID in each one of them.
How to Map an Existing DIT to the Dual Tree Namespace?
Assuming that the root suffix for Organization tree is: o=isp
Assuming that the Organization DN that is currently being used is o=siroe.com,o=isp and the user container is ou=People,o=siroe.com,o=isp
- Create a root suffix, o=internet for DC tree.
The root suffix can be created using the Directory Server console.
- Under this DC tree root suffix, create a domain entry with DN as
dc=siroe,dc=com,o=internet.
Use the following LDIFs to create the domain entry using the ldapmodify command:
Note
Please change the Organization root, Organization Name, Organization DN, Object Classes and Attribute values mentioned in the LDIF files to reflect your deployment details.
root suffix
Organization root suffix: o=isp
Organization name: siroe
DNS domain name: siroe.com
Origanization DN: o=siroe.com,o=isp
The following Object Classes and attributes are used by mail service:
ObjectClasses:
mailDomain, nsManagedDomain
Attributes:
mailDomainStatus, preferredMailHost, mailDomainDiskQuota, mailDomainMsgQuota
mailDomainReportAddress, nsMaxDomains, nsNumUsers, nsNumDomains, nsNumMailLists
Note
Remove mail service ObjectClasses and Attributes from the LDIFs if you do not wish to use them.
Ensure that the value of inetDomainBaseDN attribute in the LDIF is assigned the organization DN.
Examples of LDIF Files
- Use ldapmodify command to add the LDIF file entries to the DC tree.