[389-users] Question about users and groups in sub suffixes

Noriko Hosoi nhosoi at redhat.com
Sat Jul 28 00:50:35 UTC 2012 

Paul Robert Marino wrote:
> Hello every one
>
> I have a strange problem Im trying to use 389 server in a large
> organization and i have to break the directory into several sub
> suffixes or root suffixes.
> there is the scenario
> I work for Large company A
> Large company A owns
> 1) subsidiary b
> 2)  subsidiary c
> 3) subsidiary d
>
> Large company A uses domain example.com
>   subsidiary b uses domain b.example.com
> subsidiary c uses domain c.example.com
> subsidiary d uses domain d.example.com
>
>
> I would like to separate each of the subsidiaries into their own sub
> suffix partially because of security reasons also to minimize unneeded
> replication for local read only slaves at the subsidiary sites, and I
> would also like the administrator at each subsidiary to have the
> option of manage their own users or having the administrators at the
> parent company do it for them.
>
> now creating the sub suffix with its own database is fairly well
> documented  and works well with ou's but doesn't seem to work with
> dc's
> if i create the new suffix as a dc and go into the users and groups in
> the console and try to add a user to the new dc it wont let me. if i
> use the Users drop down menu and try to change directory and set the
> base to the new dc (e.g. dc=b,dc=example,dc=com) it tells me the dc
> isn't valid
>
> I also tried creating a root suffix and ran into the same problem so
> what am i missing?
> Is there some initial database population step I didn't see in the
> documentation or do i need to setup some ACIs or what?
There should not be any problem to create sub suffix starting with "dc".
$ ldapsearch -LLLx  [...]  -b "dc=example,dc=com" dn
dn: dc=example,dc=com
dn: dc=B,dc=example,dc=com
dn: dc=C,dc=example,dc=com
dn: dc=D,dc=example,dc=com

I put dc=B in Broot, dc=C in Croot, and dc=D in Droot.
$ ls /var/lib/dirsrv/slapd-ID/db
Broot/    DBVERSION  NetscapeRoot/  __db.002  __db.004  __db.006       
userRoot/
Croot/    Droot/       __db.001      __db.003  __db.005 log.0000000001

Do you see any errors in the error log?
/var/log/dirsrv/slapd-ID/errors

> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

More information about the 389-users mailing list