Hi,
maybe someone has experienced the same problem. Take the following example. You would like to use one LDAP server (replicated of course) for multiple Domains. Like ou=users,ou=department1,dc=company,dc=de ou=users,ou=department2,dc=company,dc=de ou=users,ou=maindep,dc=company,dc=de ...
Each department has its own domain, all users are part of maindep, some of those users are part of dep1 too and some of dep2.
So you have the maindep tree for the general use (uid and password for things like mail, vpn and a genereal purpose domain) and the smaller dep1 or dep2 for the use with the workstations of the department. The uid of a user is always the same across the trees (uid=mikecharlie,ou=dep1,... = uid=mikecharlie,ou=maindep). The single departments are responsible for their users (creation and deletion of accounts in their subtrees). The maindep-Tree gets managed by IT center staff.
Now every department could work with their domain and users (and only those) , but all users would have a general "account" for stuff that doesnt belong to their department alone.
The big problem is the sync of the passwords from subtree to subtree (dep1 to maindep or dep2 to maindep). Our users get confused if they have password1 for the login at a workstation and password2 for mail etc. But the departments want to have their own domains where they have the control who is able to login or not, BUT they want to have syncronized passwords.
Is there a possibility to refer to single attributes? Like uid=mikecharlie,ou=dep1,dc=company,dc=de -> userPassword -> look at uid=mikecharlie,ou=maindep,dc=hs-mannheim,dc=de -> userPassword.
Best regards Flo
openldap-technical@openldap.org