Hi,

Thank you for your replies !

@ Quanah:
What I understand of their system is that they built their own SCHEMAs... And thay put all information (attributes) in one single OU
Is that it ?

@ Michael:
Yes, we allready use ACLs (a lot) there is one for each service as each service needs to authenticate before accessing any information and so it is able to read only in "its" OU.

So, you both advice us to use one OU in which we put all attributes and then apply policies with ACLs ?

In our case it would mean that:
-The OU people (where basic user informations are stored) would then contain approx 20 attributes.
-There would an ACL per service/fields on that OU.

Is that it ?

Thank you,
ZP

2015-04-15 1:57 GMT+04:00 Michael Ströder <michael@stroeder.com>:
Poul Etto wrote:
Thank you for all the information, even if it is going a bit far from the
initial question...
To clarify the problem, I will try to show what we are doing, you will find
here attached an image file that goes with following explanation:

There are "u" user accounts on the ldap server
We have a number of "s" services that use LDAP to manage user account.
Each service has particular attributes
Each service must be able to access only it's information
Basic services use only the information contained in the standard LDAP
useraccount
Advanced services have dedicated OUs with special attributes

It is important that each service can accees in RO (no modification) to
only it's information.
That's why we made our LDAP as it is in the attached picture.

To simplify usage of services for each user, we decided to duplicate the
"password" field between the different OUs, that's why I came here to ask
about aliases.

If ever you are sure that there is a cleaner way to do the things (that
isn't too heavy to setup), we will be glad to have more technical and
logical explanations.

Can all be done with appropriate ACLs without aliases. Make sure your services authenticate when binding to slapd.

But I can't tell whether it "isn't too heavy" for you. Of course you would have to dive into the ACLs docs.

Ciao, Michael.