On Mon, May 2, 2011 at 10:17 AM, E.S. Rosenberg esr+openldap@g.jct.ac.il wrote:
Hello all, I am considering redoing our LDAP tree since it's current design is fairly unfortunate. I have read several articles that said that groups should be a general (and broad) as possible, and as a result of that the LDAP tree should be as free of hierarchy as possible. (An ou for people an ou for machines etc, but no ou for Departments). The reasoning seems to be that since the design of LDAP is optimized for reads and not for writes and managing moves between branches is/was a pain.
Hi Eli, nothing farther from the truth!!! bu then again depends on what to use your LDAP for. If it's just a stupid backend for Samba or your MTA then yes, use the KISS.
But if you really want a directory, you should use a structure that reflects the true nature of your business with as many levels and complexity as required without _any_ limitations. Your queries won't be anymore simpler or complex since you always simplify queries with the adequate attributes. In fact hierarchies will almost always help, unless off course your needs are just a fast backend for your MTA, or MS AD emulation needs.
FOSS Products like PHPLDAPAdmin and LAM (LDAP Account manager which derives almost directly froom the former) are already pre-configured to work in the stupid People, Machines world of the stupid Microsoft Active Directory pseudoLDAP crap. You can hoever, EASILY configure any of them to work with your complex DIT.
If you search the list archives I posted a response to a thread by mistake and attached an interesting doc on the issue (it's in Spanish though).
Best,
-- Alejandro