2010/1/9 Michael Ströder <michael@stroeder.com>
Hung Luu wrote:
>
> 2010/1/9 Michael Ströder <michael@stroeder.com
> <mailto:michael@stroeder.com>>
>
>     Hung Luu wrote:
>     > Suppose I have the following DN's:
>     >
>     > inetOrgPerson:
>     > [uid=alice,dc=example,dc=com]
>     >
>     > organizationalRole:
>     > [cn=manager,ou=groups,dc=example,dc=com]
>     > [cn=supervisor,ou=groups,dc=example,dc=com]
>     >
>     > locality:
>     > [l=phoenix,ou=division,dc=example,dc=com]
>     > [l=portland,ou=division,dc=example,dc=com]
>     >
>     > How can I store in my directory the fact that Alice is a manger at the
>     > Phoenix division, but she is only a supervisor at the Portland
>     division?
>     > I know group membership is involved here, but what's the best way to
>     > represent that group membership to optimize searches such as:
>     Return all
>     > the people with a specific role at a specific locality, or return all
>     > the roles and localities for a person.
>
>     You could also use slapo-memberof to populate the member entries with a
>     back-reference to the group entries which make some queries a lot
>     easier.
>
> Suppose I have a group of roles and a group of localities, so that I
> have the following representation of group membership:
>
> [cn=manager,ou=groups,dc=example,dc=com]
> member: uid=alice,ou=people,dc=example,dc=com
>
> [cn=supervisor,ou=groups,dc=example,dc=com]
> member: uid=alice,ou=people,dc=example,dc=com
>
> [l=phoenix,ou=divisions,dc=example,dc=com]
> member: uid=alice,ou=people,dc=example,dc=com
>
> [l=portland,ou=divisions,dc=example,dc=com]
> member: uid=alice,ou=people,dc=example,dc=com
>
> How will slapo-memberof tell me which role Alice has at which locality?
> What would the query look like?

Sorry, seems I mis-read your requirement. Off course you have to store the
relation in some kind of 2-tuple. You could create entries for the
organizational roles below the locations if that isn't too static.

Ciao, Michael.

No worries, Michael, I really appreciate your input (and everyone who has replied).

My use cases dictate that every locality may have the same set of roles, so do you see a better way to accomplish this other than duplicating role entries under each locality?

The other thing I was contemplating was to flip group membership around so that groups become members of a user, something like this:

[ou=alice,ou=people,dc=
example,dc=com]
[cn=role1]
member: cn=manager,ou=groups,dc=example,dc=com
member: l=phoenix,ou=divisions,dc=example,dc=com

[cn=role2]
member: cn=supervisor,ou=groups,dc=example,dc=com
member: l=portland,ou=divisions,dc=example,dc=com

This layout saved me from duplicating role entries under each locality, but something about this layout smells to me, it just doesn't feel right for some reason.

Thanks,
Hung.