[389-users] Question about users and groups in sub suffixes

Noriko Hosoi nhosoi at redhat.com
Mon Jul 30 16:28:56 UTC 2012 

Hi Paul,

Paul Robert Marino wrote:
>
> Noriko
> Thanks for the reply as I mentioned in my previous email I assumed 
> that when I created the sub suffix database for dc=b,dc=example,dc=com 
> it would automaticly add the dn to the database but it doesn't so I 
> manualy added it and it works now.
>
> For clarity that step should be added to the documentation.
> The way I figured it out is I just tried to add a new subdomain 
> without adding a sub suffix and I got a warning message saying I may 
> wan to add the sub suffix first
>
When I created the sub suffix/subdomain, I used the Console.  Here's 
what I did.
Open Dorectory Console.
Choose Configuration tab
Choose the parent suffix under Data (dc=example,dc=com, in my example)
Right click shows a menu; choose "New Sub Suffix".
Fill "New Suffix" and "Database name" box
Then, the new sub suffix is generated (e.g., dc=B,dc=example,dc=com")
Expand the new sub suffix; choose the underlying database (having the 
Database name you assigned)
Right click shows a menu; choose "Initialize database"
Give the ldif file to initialize the sub suffix/subdomain.

Thanks,
--noriko

> On Jul 27, 2012 8:50 PM, "Noriko Hosoi" <nhosoi at redhat.com 
> <mailto:nhosoi at redhat.com>> wrote:
>
>     Paul Robert Marino wrote:
>
>         Hello every one
>
>         I have a strange problem Im trying to use 389 server in a large
>         organization and i have to break the directory into several sub
>         suffixes or root suffixes.
>         there is the scenario
>         I work for Large company A
>         Large company A owns
>         1) subsidiary b
>         2)  subsidiary c
>         3) subsidiary d
>
>         Large company A uses domain example.com <http://example.com>
>           subsidiary b uses domain b.example.com <http://b.example.com>
>         subsidiary c uses domain c.example.com <http://c.example.com>
>         subsidiary d uses domain d.example.com <http://d.example.com>
>
>
>         I would like to separate each of the subsidiaries into their
>         own sub
>         suffix partially because of security reasons also to minimize
>         unneeded
>         replication for local read only slaves at the subsidiary
>         sites, and I
>         would also like the administrator at each subsidiary to have the
>         option of manage their own users or having the administrators
>         at the
>         parent company do it for them.
>
>         now creating the sub suffix with its own database is fairly well
>         documented  and works well with ou's but doesn't seem to work with
>         dc's
>         if i create the new suffix as a dc and go into the users and
>         groups in
>         the console and try to add a user to the new dc it wont let
>         me. if i
>         use the Users drop down menu and try to change directory and
>         set the
>         base to the new dc (e.g. dc=b,dc=example,dc=com) it tells me
>         the dc
>         isn't valid
>
>         I also tried creating a root suffix and ran into the same
>         problem so
>         what am i missing?
>         Is there some initial database population step I didn't see in the
>         documentation or do i need to setup some ACIs or what?
>
>     There should not be any problem to create sub suffix starting with
>     "dc".
>     $ ldapsearch -LLLx  [...]  -b "dc=example,dc=com" dn
>     dn: dc=example,dc=com
>     dn: dc=B,dc=example,dc=com
>     dn: dc=C,dc=example,dc=com
>     dn: dc=D,dc=example,dc=com
>
>     I put dc=B in Broot, dc=C in Croot, and dc=D in Droot.
>     $ ls /var/lib/dirsrv/slapd-ID/db
>     Broot/    DBVERSION  NetscapeRoot/  __db.002  __db.004  __db.006  
>         userRoot/
>     Croot/    Droot/       __db.001      __db.003  __db.005 log.0000000001
>
>     Do you see any errors in the error log?
>     /var/log/dirsrv/slapd-ID/errors
>
>         --
>         389 users mailing list
>         389-users at lists.fedoraproject.org
>         <mailto:389-users at lists.fedoraproject.org>
>         https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
>     --
>     389 users mailing list
>     389-users at lists.fedoraproject.org
>     <mailto:389-users at lists.fedoraproject.org>
>     https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120730/ba619fee/attachment.html>

More information about the 389-users mailing list