2010/1/9 Michael Ströder <michael@stroeder.com>
Hung Luu wrote:
> Suppose I have the following DN's:
>
> inetOrgPerson:
> [uid=alice,dc=example,dc=com]
>
> organizationalRole:
> [cn=manager,ou=groups,dc=example,dc=com]
> [cn=supervisor,ou=groups,dc=example,dc=com]
>
> locality:
> [l=phoenix,ou=division,dc=example,dc=com]
> [l=portland,ou=division,dc=example,dc=com]
>
> How can I store in my directory the fact that Alice is a manger at the
> Phoenix division, but she is only a supervisor at the Portland division?
> I know group membership is involved here, but what's the best way to
> represent that group membership to optimize searches such as: Return all
> the people with a specific role at a specific locality, or return all
> the roles and localities for a person.

You could also use slapo-memberof to populate the member entries with a
back-reference to the group entries which make some queries a lot easier.

Ciao, Michael.

Suppose I have a group of roles and a group of localities, so that I have the following representation of group membership:

[cn=manager,ou=groups,dc=example,dc=com]
member: uid=alice,ou=people,dc=example,dc=com

[cn=supervisor,ou=groups,dc=example,dc=com]
member: uid=alice,ou=people,dc=example,dc=com

[l=phoenix,ou=divisions,dc=example,dc=com]
member: uid=alice,ou=people,dc=example,dc=com

[l=portland,ou=divisions,dc=example,dc=com]
member: uid=alice,ou=people,dc=example,dc=com

How will slapo-memberof tell me which role Alice has at which locality? What would the query look like?

Dynamic groups look promising, but would I have to create a dynamic group for each user-role mapping? Using cn=config, I should be able to add new dynamic groups on the fly without restarting slapd?


Thanks,
Hung.