On 09/01/10 23:19, Hung Luu wrote:
2010/1/9 Michael Ströder <michael@stroeder.com mailto:michael@stroeder.com>
Hung Luu wrote: > Suppose I have the following DN's: > > inetOrgPerson: > [uid=alice,dc=example,dc=com] > > organizationalRole: > [cn=manager,ou=groups,dc=example,dc=com] > [cn=supervisor,ou=groups,dc=example,dc=com] > > locality: > [l=phoenix,ou=division,dc=example,dc=com] > [l=portland,ou=division,dc=example,dc=com] > > How can I store in my directory the fact that Alice is a manger at the > Phoenix division, but she is only a supervisor at the Portland division? > I know group membership is involved here, but what's the best way to > represent that group membership to optimize searches such as: Return all > the people with a specific role at a specific locality, or return all > the roles and localities for a person. You could also use slapo-memberof to populate the member entries with a back-reference to the group entries which make some queries a lot easier. Ciao, Michael.Suppose I have a group of roles and a group of localities, so that I have the following representation of group membership:
[cn=manager,ou=groups,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
[cn=supervisor,ou=groups,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
[l=phoenix,ou=divisions,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
[l=portland,ou=divisions,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
How will slapo-memberof tell me which role Alice has at which locality? What would the query look like?
You could have groups under each location, like : [l=phoenix,ou=divisions,dc=example,dc=com] [cn=managers,l=phoenix,ou=divisions,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
[l=portland,ou=divisions,dc=example,dc=com] [cn=supervisors,l=phoenix,ou=divisions,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
And then memberOf would show these groups.
Or, you could just store managers and supervisors as attribute values in the location's entry, and use a dynamic group to get a list of all manager.
Dynamic groups look promising, but would I have to create a dynamic group for each user-role mapping? Using cn=config, I should be able to add new dynamic groups on the fly without restarting slapd?
Yes. You may need to load the overlay as a module, if you don't have it compiled in statically, then add the overlay config object under your database.
Regards, Jonathan