--On December 5, 2007 1:41:49 PM -0500 Nathan Nobbe quickshiftin@gmail.com wrote:
i have not read any material on ideal directory layout. can you refer me to good resource? the design i have created is based only on intuition. that, and the schema reference available in phpLdapAdmin. truth be told, ive found the documentation in the openldap administration guide only marginally helpful. at least i havent seen much in there about ldap itself; the guide seems to presume preexisting knowledge of ldap; of which mine is scant :)
Well, there's not hard rule. The general principal is, as flat as possible, as deep as necessary. The problem of course is compounded that bad design decisions at the beginning can haunt you for years. ;)
if i were to have a tree for organizationalUnit objects and another for organizationalPerson objects, what would the ideal root objectClass of those trees?
The root objectClass of a tree really does not have to pertain to the objects contained in that tree. I tend to make my branch roots fairly benign, like:
dn: cn=people,dc=myorg,dc=com objectclass: organizationalRole description: people cn: people
In answer to your question, however, you may find that using sets helps with some of what you want to do.
what are sets in the context of ldap?
That's an excellent question. Some day they'll be documented, hopefully. :) But here are some examples:
access to dn.children="cn=people,dc=myorg,dc=com" by set.exact="this/uid & user/uid" read
If THIS ENTRY and the BINDING USER have the same value for UID, allow READ
access to dn.children="cn=nis,dc=myorg,dc=com" by set.exact="this/host & user" read
if THIS ENTRY's host attribute matches the USER, allow READ
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
--On December 5, 2007 1:41:49 PM -0500 Nathan Nobbe quickshiftin@gmail.com wrote:
i have not read any material on ideal directory layout. can you refer me to good resource? the design i have created is based only on intuition. that, and the schema reference available in phpLdapAdmin. truth be told, ive found the documentation in the openldap administration guide only marginally helpful. at least i havent seen much in there about ldap itself; the guide seems to presume preexisting knowledge of ldap; of which mine is scant :)
Well, there's not hard rule. The general principal is, as flat as possible, as deep as necessary. The problem of course is compounded that bad design decisions at the beginning can haunt you for years. ;)
if i were to have a tree for organizationalUnit objects and another for organizationalPerson objects, what would the ideal root objectClass of those trees?
The root objectClass of a tree really does not have to pertain to the objects contained in that tree. I tend to make my branch roots fairly benign, like:
dn: cn=people,dc=myorg,dc=com objectclass: organizationalRole description: people cn: people
In answer to your question, however, you may find that using sets helps with some of what you want to do.
what are sets in the context of ldap?
That's an excellent question. Some day they'll be documented,
I don't even have a section placeholder for that yet or even one dedicated to ACLs...hmmm...
openldap-software@openldap.org