[389-users] Question about users and groups in sub suffixes
Noriko Hosoi
nhosoi at redhat.com
Mon Jul 30 16:28:56 UTC 2012
Hi Paul,
Paul Robert Marino wrote:
>
> Noriko
> Thanks for the reply as I mentioned in my previous email I assumed
> that when I created the sub suffix database for dc=b,dc=example,dc=com
> it would automaticly add the dn to the database but it doesn't so I
> manualy added it and it works now.
>
> For clarity that step should be added to the documentation.
> The way I figured it out is I just tried to add a new subdomain
> without adding a sub suffix and I got a warning message saying I may
> wan to add the sub suffix first
>
When I created the sub suffix/subdomain, I used the Console. Here's
what I did.
Open Dorectory Console.
Choose Configuration tab
Choose the parent suffix under Data (dc=example,dc=com, in my example)
Right click shows a menu; choose "New Sub Suffix".
Fill "New Suffix" and "Database name" box
Then, the new sub suffix is generated (e.g., dc=B,dc=example,dc=com")
Expand the new sub suffix; choose the underlying database (having the
Database name you assigned)
Right click shows a menu; choose "Initialize database"
Give the ldif file to initialize the sub suffix/subdomain.
Thanks,
--noriko
> On Jul 27, 2012 8:50 PM, "Noriko Hosoi" <nhosoi at redhat.com
> <mailto:nhosoi at redhat.com>> wrote:
>
> Paul Robert Marino wrote:
>
> Hello every one
>
> I have a strange problem Im trying to use 389 server in a large
> organization and i have to break the directory into several sub
> suffixes or root suffixes.
> there is the scenario
> I work for Large company A
> Large company A owns
> 1) subsidiary b
> 2) subsidiary c
> 3) subsidiary d
>
> Large company A uses domain example.com <http://example.com>
> subsidiary b uses domain b.example.com <http://b.example.com>
> subsidiary c uses domain c.example.com <http://c.example.com>
> subsidiary d uses domain d.example.com <http://d.example.com>
>
>
> I would like to separate each of the subsidiaries into their
> own sub
> suffix partially because of security reasons also to minimize
> unneeded
> replication for local read only slaves at the subsidiary
> sites, and I
> would also like the administrator at each subsidiary to have the
> option of manage their own users or having the administrators
> at the
> parent company do it for them.
>
> now creating the sub suffix with its own database is fairly well
> documented and works well with ou's but doesn't seem to work with
> dc's
> if i create the new suffix as a dc and go into the users and
> groups in
> the console and try to add a user to the new dc it wont let
> me. if i
> use the Users drop down menu and try to change directory and
> set the
> base to the new dc (e.g. dc=b,dc=example,dc=com) it tells me
> the dc
> isn't valid
>
> I also tried creating a root suffix and ran into the same
> problem so
> what am i missing?
> Is there some initial database population step I didn't see in the
> documentation or do i need to setup some ACIs or what?
>
> There should not be any problem to create sub suffix starting with
> "dc".
> $ ldapsearch -LLLx [...] -b "dc=example,dc=com" dn
> dn: dc=example,dc=com
> dn: dc=B,dc=example,dc=com
> dn: dc=C,dc=example,dc=com
> dn: dc=D,dc=example,dc=com
>
> I put dc=B in Broot, dc=C in Croot, and dc=D in Droot.
> $ ls /var/lib/dirsrv/slapd-ID/db
> Broot/ DBVERSION NetscapeRoot/ __db.002 __db.004 __db.006
> userRoot/
> Croot/ Droot/ __db.001 __db.003 __db.005 log.0000000001
>
> Do you see any errors in the error log?
> /var/log/dirsrv/slapd-ID/errors
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120730/ba619fee/attachment.html>
More information about the 389-users
mailing list