De : Mik J mikydevel@yahoo.fr
À : "openldap-technical@openldap.org" openldap-technical@openldap.org
De : Dan White dwhite@olp.net
À : Mik J mikydevel@yahoo.fr
On 09/28/12 18:40 +0100, Mik J wrote:
Hello,
I'm setting up my openldap server and I would like an advice from
experimented users.
My domain is dc=mycompany,dc=org
My company will have:
- employees
- clients
- partners
How should I organise my tree ? for example ? o=MyCompany, dc=mycompany,dc=org o=Client1, dc=mycompany,dc=org o=Client2, dc=mycompany,dc=org o=Partner1, dc=mycompany,dc=org
Or can I group clients ? o=Client1, ??=Clients, dc=mycompany,dc=org o=Client2, ??=Clients, dc=mycompany,dc=org What would be "??" if I want to make a group called Clients ?
Or my approach is not good ? If someone has advices (or links that describe a real life case)
I'll be
more than happy to read them.
I personally prefer breaking up my DIT by function, rather than by company organization, e.g.:
uid=user1@companydomain1,ou=people,dc=mycompany,dc=org uid=userx@companydomain2,ou=people,dc=mycompany,dc=org cn=mygroup,ou=groups,dc=mycompany,dc=org cn=myalias,ou=aliases,dc=mycompany,dc=org
Then, if I need to restrict an ldap search to one or more organizations, I do so by placing an identifying attribute within the user's entry, and
find
them with a filter.
Filters are generally a more flexible way to organize your users than a base.
Hello Dan, Thank you for your advice. I will consider this option seriously. I would also like to hear other people's implementation. Have a nice week
Hello Dan,I've started to think about your way to implement this and I've notice that having a uid that looks like an email address is mandatory to achieve what I want. Right now my uids don't look like an email address but more like one_letter+family name Because you use emails as uids and you do filtering based on regex applied to emails, do you need groups ? Thank you