--On Tuesday, February 6, 2024 4:27 PM +0000 Norman Gray gray@nxg.name wrote:
Store what department(s) they belong to as attribute in their user entry.
I take the point, and I certainly wouldn't organise things this way if _I_ were king.
In this case, though, dept1, dept2, and so on, are separate administrative domains, in both IT terms and real bureaucratic ones, and this is an attempt to bring some sort of coherence to a bit of historic anarchy (and yes, there is an ou=staff layer in the middle of the real trees).
Everyone more-or-less agrees on the names and uidNumbers in dept1, but there might be a local 'norman' in both dept2 and dept3, or people in those trees with historically colliding UIDs. The result is that systems in dept2 will acknowledge users in ou=dept1 and ou=dept2, users in dept3 acknowledge ou=dept1 and dept3 but ignore ou=dept2, and so on. I expect that names will soon no longer be created in the deptN trees (pretty please?), in favour of the dept1 tree, and the ou=staff parts of those will atrophy, but I'll be retired by then.
If there's a different way of approaching that particular problem, though, right now is the time for me to be rethinking this, so I'm open to challenge.
Ah, ok I thought you were setting up a new server. Since it was historically done this way, yeah, best thing is to slowly fix the data until it can be done correctly. Sounds like it would take an institutional commitment to resolving the collisions to ever fix this fully.
--Quanah