I'm still a newbie about openLDAP, but I need already to get the right choice in this design phase in order to avoid terrible troubles in the next future :)

We have two companies: wiki.com and grape.jp.

# Data set

a) wiki.com is the one hosting openLDAP and has several user accounts registered into.

b) grape.jp can create user accounts in the same openLDAP hosted by wiki.com

# Authorization

c) wiki.com can see and manage all the user accounts.

d) grape.jp can manage only user accounts created by itself.

I'm thinking at the following configuration: one database called "dn=wiki,dn=com" which requires objects with following schema

dn: mail=user1@wiki.com,dc=wiki,dc=com
objectclass: inetOrgPerson
cn: <user1 nickname>
givenname: <user1 first name>
mail: user1@wiki.com
sn: <user1 surname>
userPassword: aNiceEncryptedPassword
o:<either wiki.com or grape.jp depending on who has created the user>

and then setting a proper ACL (olc) on the attribute 'o' in order to defined who can access what (but on this side I need still to understand A LOT).

My configuration is driven from the fact I need also to integrate Liferay 6.1 which needs to see all the user accounts :-(

Let me thank you for having read till here! Any suggestion and/or reference would be highly appreciated.

Best Regards,

Simone

P.s. I was looking also for a good guide/book on Amazon, but everything looks quite outdated...