Howard Chu wrote:
Yes, most of the logic belongs in the application, but you can get some help from LDAP if you design your DIT properly.
Howard,
from my (limited) experience, the answer is always: the DIT has already been designed with other needs in mind, so it is a constraint rather than an opportunity. For which is which, I concur your suggestion would make things naturally simple as they should be, but it requires:
- to change the DIT design
- to change the logics of the client and provisioning applications
so it looks much easier to hack the process in between.
p.
Remember that a directory is a hierarchical name space; if you don't take advantage of that fact then you may as well just use an RDBMS.
Telephone numbers are also a hierarchical name space; there's a natural mapping that makes this problem simple:
Given a user with subscriber number xxx-yyyyy just split the number into two components: number=yyyyy,prefix=xxx,ou=subscribers,dc=example,dc=com
Make the application always transform its lookups to match this naming scheme. Then, for users who are "local" to the system, you do a base search on exactly their number. For 123-4567, lookup number=4567,prefix=123,ou=subscribers,dc=example,dc=com
If it exists, you get the result back immediately. If the query is 999-12345 and only the prefix exists, then your lookup for number=12345,prefix=999,ou=subscribers,dc=example,dc=com will fail, and the result will come back with a matchedDN of prefix=999,ou=subscribers,dc=example,dc=com
Then your app just has to look up the matchedDN entry, and proceed from there. "Wildcards" are unnecessary.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------