Sun Java System Communications Services 6 2005Q4 Deployment Planning Guide

LDAP Directory Information Tree Requirements

The Directory Information Tree (DIT) is a way to organize directory entries in a tree structure, or schema, with nodes representing domains, subdomains, users, and groups. Sun Java Enterprise System introduces a fundamental change to how the directory is structured by implementing a one-tree structure.

Changes in the DIT Structure

Messaging Server and Calendar Server have introduced a one-tree structure, where there is no Domain Component (DC) Tree. All domain information is held in domain nodes in the Organization Tree. Aliasing is handled entirely differently in the new one-DIT structure.

The bottom half of Figure 3–2 illustrates a one-tree LDAP structure.

Figure 3–2 Two-Tree LDAP Structure Compared With One-Tree Structure

This diagram compares the one-tree LDAP structure, introduced
by Messaging Server 6.0, with the previous two-tree structure.

Benefits of a One-Tree DIT Structure

The main advantages to using the one-tree structure Schema 2 native mode are:

As illustrated in the following figure, in the two-tree structure, some nodes point directly to a node in the Organization Tree (using the attribute inetDomainBaseDN). Other nodes are aliased nodes, which instead of pointing directly to an Organization Tree node, point to another DC Tree node, using the aliasedObjectName attribute.

Figure 3–3 Two-Tree Aliasing With aliasedDomainName and inetDomainBaseDN

This diagram shows the two-tree LDAP with an aliasedObjectName
set up.

In the previous figure, in the DC Tree points to in the DC Tree using aliasedObjectName, and points to the like named node in the Organization Tree, using inetDomainBaseDN.

Furthermore, as shown in Figure 3–4, there could be one or more nodes in the DC Tree using inetDomainBaseDN to point directly to the same node in the Organization Tree. In this case, a “tie-breaker” attribute, inetCanonicalDomainName, is necessary on one of the DC Tree nodes to designate which is the “real” domain name (the domain where the mail actually resides and where the mail is routed).

Figure 3–4 Two-Tree Aliasing With inetCanonicalDomainName

This diagram shows the two-tree LDAP with two DC Tree nodes pointing
to the same Organization Tree node, using inetCanonicalDomainName.

By contrast, a one-tree structure contains only an Organization Tree, as shown in the following figure.

Figure 3–5 One-Tree Aliasing With associatedDomain

This diagram demonstrates the simplified way aliases are handled
in Sun ONE Schema, v.2.

In the one-tree structure, domain nodes in the Organization Tree contain all the domain attributes formerly found on the DC Tree. Each domain node is identified by the sunManagedOrganization object class and sunPreferredDomain attribute, which contains the DNS domain name. A domain node can also have one or more associatedDomain attributes, which list the alias names this domain is known by. Contrary to the two-tree structure, there are no duplicate nodes for the alias names.

A one-tree DIT structure is beneficial in how you partition data for organization-specific access control. That is, each organization can have a separate subtree in the DIT where user and group entries are located. Access to that data can be limited to users in that part of the subtree. This allows localized applications to operate securely.

In addition, for new deployments of Calendar Server or Messaging Server, a one-tree structure maps better to existing single-DIT LDAP applications.