If you have a domain name that you legally own then use it broken up with dc's as your basedn. eg: if is your domain, your basedn is "dc=example,dc=com". Windows ActiveDirectory uses this convention. One of the advantages of using this convention is it makes it easy to guess what your basedn will be, and to do referals.


Keep schemacheck on, you'll save yourself some headaches in the future.

Example tree



uid=perry uid=daniel uid=craig


uid=users uid=admins

Configure ldap to use SSL where possible, preferably over ldaps. Beware that by default people can bind anonymously and browse your tree, so consider in your ACL's anonymous users.

Consider creating users for services that need to be able to bind to the tree, such as mail.

todo: discuss schemas

Part of CategoryBestPractices