Multiple domains

[svallory]

Is it possible to use multiple domains? How?

[dolanor]

I have the exact same question and I struggled to find the answer.

From what I could gather, yes you could. Doing multiple domains with one common root would be easier (for example, multiple domain under .com (dc=com)). But in the end, ldap is pretty flexible and I needed multiple TLDs. So, what I did, is to create a TLD called multiverse, and under it, put different real-life TLDs.

I have:

• dc=mydomain,dc=com,dc=multiverse
• dc=clientdomain,dc=io,dc=multiverse

Then, you can just set your base DN to be dc=multiverse to search real TLDs as dc=clientdomain,dc=io without the need to add the dc=multiverse suffix.

[parthg13]

I have the exact same question and I struggled to find the answer.

From what I could gather, yes you could. Doing multiple domains with one common root would be easier (for example, multiple domain under .com (dc=com)). But in the end, ldap is pretty flexible and I needed multiple TLDs. So, what I did, is to create a TLD called multiverse, and under it, put different real-life TLDs.

I have:

• dc=mydomain,dc=com,dc=multiverse
• dc=clientdomain,dc=io,dc=multiverse

Then, you can just set your base DN to be dc=multiverse to search real TLDs as dc=clientdomain,dc=io without the need to add the dc=multiverse suffix.

@dolanor , have you tried your method in the osixia docker image or directly on a system? Also, please could you help me with where exactly your changes are supposed to be made? I have been struggling with it for a long time. Any help would be appreciated. :-)

[marinipete]

@parthg13 I'm struggling with the same issue, have you figured this out ?

[dolanor]

God, I'm sorry I missed this call for help, @parthg13 . Yes I did it on the docker image. But it is mainly how you structure your LDAP hierarchy, actually. What's your problem, @marinipete ?

[marinipete]

Hey there, @dolanor . I was off for a while, let me detail the scenario.

I'm migrating a LDAP base an Oracle LDAP base to OpenLDAP, I'm using this image to dockerize the openLDAP. In the current Oracle's implementation, there is a **root ** parent DN, with that I can simply add as many suffixes under this root and It doesn't need to be specified in ldap queries, so it's transparente for the ldap clients. Now, I'm trying to translate this to Openldap using this image, I've already inspect the startup.sh and it looks like the code expects only one string for LDAP_DOMAIN and LDAP_BASE_DN, I guess this could be altered by extending the image. Now, from what I read about OpenLdap, it is a best practice to have different suffixes in diferente databases, however, I have one limitation right now that I use only one DNS for all my ldap suffixes, and since Oracle has this transparent root that I talked about, all ldap applications use this single DNS endpoint independently from the tree being queried (since it's not necessary to specify the root). I need to keep this that way, as having multiple DNS for different suffixes would require an update in a lot of applications.

Do you know if that's possible with OpenLDAP ? I would appreciate any form kind of insight.

[dolanor]

I would say it is possible, as I do this myself. I handle multiple domains with different TLDs. As I said, my ldap tree is as is

+ dc=multiverse
    + dc=com
        + ou=mydomain
            + ou=apps
                 + cn=nextcloud
        + ou=myotherdomain
    + dc=io
        + ou=mygeekydomain

I must say that I didn't connect my DNS directly to this LDAP, so it doesn't generate DNS records for me. I was confused on how LDAP worked and how to deal with it. So my DNS is handled manually with my registrar to point to the correct server IP address. But on each domain, I can have many apps (eg. nextcloud) as a CN and a uniqueMember applied to it, and in it, I store the useful info (which user has access to this app for example). And in each app, I check this group uniqueMembers to see if this LDAP authentified user has access to this app.