On Tue, Jul 17, 2012 at 7:42 PM, Gavin Henry ghenry@suretecsystems.com wrote:
What lives under ou=CompanyA etc? User accounts? Something we do for this to keep the DIT level shallow, is to keep all user accounts in ou=Users and filter based on o=CompanyA which is an attribute on that user entry. Then you can use slapo-dynlist to create company groups etc.
Each backend (or 1 if I keep everything together on the master) has indeed an ou=People (or Users, doesn't matters) with PosixAccount and an ou=groups (using rfc2307bis to combine posixGroup and groupOfNames)
Indeed, I want the DIT level to be kept shallow. Maybe I can try something with slapo-dynlist, as I will use the overlay to create dynamic groups with memberURL anyway.
Not sure what ACLs you've got or the overall function of your directory server to advise a new DIT.
For the moment I have no special ACL's.
OT: In the end, my goal is to provide an integrated directory service, for three affiliated companies. Primary goal for Linux authentication/authorization, puppet node configs, netgroups, sudo and ssh.... Secondary goal app data or users.
Not easy if you want the directory to be perfect ;-)
Thx a lot for the very useful responses!