[Pdns-users] Query on LDAP Backend
Jamie Thompson
pdns.users at jamie-thompson.co.uk
Thu Jul 17 00:56:58 UTC 2008
Hi, perhaps this would be better for pdns-dev, but as I'm just a prospective
user who may be doing things wrong, I've sent it here instead :)
I'm migrating from ldapdns to pdns (ldapdns's lockups are killing me) and it's
LDAP backend, and have hit a interesting snag, namely I suspect due to some
'liberal' interpretation of the RFCs by ldapdns or yourselves. I'm not saying
what you currently do is wrong by any means, I'm just intrigued why the use of
the associatedDomain attribute is apparently hardcoded, forcing you to pull in
the domainRelatedObject objectclass for each domain object in the tree? My
initial guess is simplicity, as the query string needn't be processed, just
plugged into the query filter.
The crux of the issue is that I designed my tree to mimic the DNS hierarchy:
dc=jamie-thompson,dc=co,dc=uk,dc=.
dc=1,dc=1,dc=168,dc=192,dc=in-addr,dc=arpa,dc=.
...and so on.
This works just fine with ldapdns, but doesn't with pdns-ldap, as I have no
associatedDomain attributes, the information from which probably being inferred
from the LDAP tree structure by ldapdns.
This seems reasonable to me, as duplicating the information from the DN in the
associatedDomain seems superfluous, it's just as easy to transform the query
"www.jamie-thompson.co.uk" into...
base: "dc=www,dc=jamie-thompson,dc=co,dc=uk" + rootValue
filter: "(dc=*)" (or even better, dc=<leftmost component of domain query>)
scope: base
...or thereabouts.
My reading of the RFC is that all that's required is the objectClass dNSDomain
(or more likely given you do things more correctly with PTR records,
dNSDomain2), and the only required attribute for that is "dc" (domainComponent),
which would seem to mesh with what I have/want. domainRelatedObject's
associatedDomain attribute seems to be intended for non-linearly mapped
directories, so that ou=jamie-thompson could then have the associatedDomain of
jamie-thompson.co.uk without any additional fluff. Which is indeed useful, but
not quite what I'm after.
Anyway, want I mean by that rambling is that it'd be nice to have the option of
a mode that uses the basic dc attributes as the search base, and the filter
solely used to filter the results by whatever arbitrary filter the sysadmin wants.
Thoughts?
- Jamie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20080717/bb899c94/attachment.sig>
More information about the Pdns-users
mailing list