Note Make sure you have read Chapter 1, "Welcome to the Directory Server," before continuing with this appendix. Chapter 1 contains information about basic directory server concepts that you need to understand before performing server installation.
In general, if you are deploying your directory service into a production environment, taking an afternoon to become familiar with the concepts and issues raised in the earlier portions this manual will go a long way towards helping you build a robust, secure, easily-administered directory service.
Planning Your Suffix Value
Before you get started, you must plan the suffix name under which you are going to store your directory entries. If your enterprise already has an Internet domain name registered for it, then use a suffix value of the following format:
o=<your domain name>
That is, if your enterprise's Internet domain name is Airius.com, then use:
o=airius.com
as your suffix. If you do not have an Internet domain name registered for you enterprise, then simply use your company's name. For example:
o=airius corporation
Directory Tree Advice
Keep your directory tree as flat as possible. For a small or non-production directory service, there are no technical or administrative advantages to branching your directory tree. Consequently, simply create every entry at your directory's root level. That is, if your suffix is o=airius.com, then create all your entries using the following format:
uid=<some value>, o=airius.com
for people entries, and
cn=<some value>, o=airius.com
for group entries.
DN Advice
The one thing you absolutely must do is make sure every DN is unique. This can be one of the greatest challenges facing a directory administrator. This is because DNs traditionally begin with a common name (cn attribute). Common name-based distinguished names are not a problem for any kind of a directory entry other than entries that represent people. For people entries, common names are meant to be a person's full name. In theory, by using common name-based distinguished names you should be able to quickly know which person is represented by any given DN. Unfortunately, this strategy quickly fails because in any organization of even a moderate size, employees often have the same name.
To avoid naming collisions, use uid-based distinguished names for all person entries. Netscape SuiteSpot servers require that every person entry managed by the servers are defined to have a unique user ID anyway. By using this user ID for your distinguished names, you can elegantly sidestep directory name collisions.
Note that you should choose user IDs that are reasonably human readable; that is, do not use a random collection of letters and/or numbers for your user IDs. If your enterprise already has an email system, one possible solution is to select the left-most value on each person's email address for that person's user ID. That is, if a person has the email address:
bjensen@airius.com
then give that person's directory entry the following DN:
uid=bjensen, o=airius.com
Note
It is recommended that you avoid using meaningless values such as an
employee number for the uid. Using non-intuitive user IDs can create
administrative burdens for you.
Also, remember that the information contained in a DN is essentially public
information; anyone who can search for that entry can see all of the
information contained in the DN. For this reason, limit your DNs to generic or
public information.
For more information on designing directory trees and DN formats, see
Chapter 6, "Directory Tree Design."
Last Updated: 02/17/98 15:47:54