101 lines
6.6 KiB
HTML
101 lines
6.6 KiB
HTML
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow"/>
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<title>Directory Server (LDAP) - Suffix (naming context)</title>
|
||
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
||
|
</head>
|
||
|
<body>
|
||
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
||
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
||
|
|
||
|
|
||
|
<a name="rzahysuffix"></a>
|
||
|
<h2 id="rzahysuffix">Suffix (naming context)</h2>
|
||
|
<p>A suffix (also known as a naming context) is a DN that identifies the top
|
||
|
entry in a locally held directory hierarchy. Because of the relative naming
|
||
|
scheme used in LDAP, this DN is also the suffix of every other entry within
|
||
|
that directory hierarchy. A directory server can have multiple suffixes, each
|
||
|
identifying a locally held directory hierarchy, for example, o=ibm,c=us.</p>
|
||
|
<p>The specific entry that matches the suffix must be added to the directory.
|
||
|
The entry you create must use an objectclass that contains the naming attribute
|
||
|
used. You can use the Web administration tool or the Qshell ldapadd utility
|
||
|
to create the entry corresponding to this suffix. For more information, see <a href="rzahywrkdirentries.htm#rzahywrkdirentries">Manage directory entries</a> or <a href="rzahyldapadd.htm#rzahyldapadd">ldapmodify and ldapadd</a>.</p>
|
||
|
<p>Conceptually, there is a global LDAP name space. In the global LDAP name
|
||
|
space, you might see DNs like:</p>
|
||
|
<ul>
|
||
|
<li>cn=John Smith,ou=Rochester,o=IBM</li>
|
||
|
<li>cn=Jane Doe,o=My Company,c=US</li>
|
||
|
<li>cn=system administrator,dc=myco,dc=com</li></ul>
|
||
|
<p>The suffix "o=IBM" tells the server that only the first DN is in a name
|
||
|
space held by the server. Attempts to reference objects that are not within
|
||
|
one of the suffixes result in a no such object error or a referral to another
|
||
|
directory server.</p>
|
||
|
<p>A server can have multiple suffixes. The Directory Server has several
|
||
|
predefined suffixes that hold data specific to our implementation:</p>
|
||
|
<ul>
|
||
|
<li>cn=schema contains the LDAP accessible representation of the schema</li>
|
||
|
<li>cn=changelog holds the server change log, if enabled</li>
|
||
|
<li>cn=localhost contains non-replicated information that controls some aspects
|
||
|
of the server operation, for example, replication configuration objects</li>
|
||
|
<li><img src="delta.gif" alt="Start of change" />cn=IBMpolicies contains information on server operation that <span class="italic">is</span> replicated.<img src="deltaend.gif" alt="End of change" /></li>
|
||
|
<li>cn=pwdpolicy contains the server-wide password policy</li>
|
||
|
<li>the "os400-sys=system-name.mydomain.com" suffix provides LDAP accessibility
|
||
|
to i5/OS objects, currently limited to user profiles and groups</li></ul>
|
||
|
<p>The Directory Server comes pre-configured with a default suffix, dc=system-name,dc=domain-name,
|
||
|
to make it easier to get started with the server. There is no requirement
|
||
|
that you use that suffix. You can add your own suffixes, and delete the pre-configured
|
||
|
suffix.</p>
|
||
|
<p>There are two commonly used naming conventions for suffixes. One is based
|
||
|
on the TCP/IP domain for your organization. The other is based on the organization's
|
||
|
name and location.</p>
|
||
|
<p>For example, given a TCP/IP domain of mycompany.com, you might choose a
|
||
|
suffix like <tt class="xph">dc=mycompany,dc=com</tt>, where the <tt class="xph">dc</tt> attribute refers to the domain component. In this case the top level
|
||
|
entry you create in the directory might look like the following (using LDIF,
|
||
|
a text file format for representing LDAP entries):</p>
|
||
|
<pre class="xmp">dn: dc=mycompany,dc=com
|
||
|
objectclass: domain
|
||
|
dc: mycompany</pre>
|
||
|
<p>The <tt class="xph">domain</tt> objectclass also has some optional attributes
|
||
|
you might want to use. View the schema or edit the entry you have created
|
||
|
using the Web administration tool to see the additional attributes that you
|
||
|
can use. For more information, see <a href="rzahymanschema.htm#rzahymanschema">Manage the schema</a>.</p>
|
||
|
<p>If your company name is <tt class="xph">My Company</tt> and it is located
|
||
|
in the United States, you might chose a suffix like one of the following:</p>
|
||
|
<pre class="xmp">o=My Company
|
||
|
o=My Company,c=US
|
||
|
ou=Widget Division,o=My Company,c=US</pre>
|
||
|
<p>Where <tt class="xph">ou</tt> is the name for the organizationalUnit objectclass, <tt class="xph">o</tt> is the organization name for the organization objectclass, and <tt class="xph">c</tt> is a standard two letter county abbreviation used to name the country
|
||
|
object class. In this case the top level entry you create might look like:</p>
|
||
|
<pre class="xmp">dn: o=My Company,c=US
|
||
|
objectclass: organization
|
||
|
o: My Company</pre>
|
||
|
<p>Applications that you use might require that specific suffixes be defined,
|
||
|
or that a particular naming convention be used. For example, if your directory
|
||
|
is used to manage digital certificates, you might be required to structure
|
||
|
part of your directory so that entry names match the subject DNs of the certificates
|
||
|
that it holds.</p>
|
||
|
<p>Entries to be added to the directory must have a suffix that matches the
|
||
|
DN value, such as <tt class="xph">ou=Marketing,o=ibm,c=us</tt>. If a query
|
||
|
contains a suffix that does not match any suffix configured for the local
|
||
|
database, the query is referred to the LDAP server that is identified by the
|
||
|
default referral. If no LDAP default referral is specified, an Object does
|
||
|
not exist result is returned.</p>
|
||
|
<p>For additional information about how to add or remove a suffix, see <a href="rzahyasf-pi.htm#rzahyasf-pi">Add and remove Directory Server suffixes</a>.</p>
|
||
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
||
|
</body>
|
||
|
</html>
|