is there any reason that a posix usernames, groups, passwords, etc. must be stored in distinct locations in a directory ? I realize this mostly applies to the padl pam/nis and the libnsspam-ldapd module specific.
can they be stored in other structures effectively and usefully? can they be stored on a department by department basis, or in any other organizational scheme? (ou=arbitrary1,dc=... having groups and users, while ou=arb2,ou=arb3,dc=... also has users and groups?) if a scheme like the above is used, will all users and groups be available on a system? must they be free of naming conflicts, or will group=users,ou=arbitrary1,... be different from group=users,ou=arb2,ou=arb3,... ? if they're different, how would this be indicated by the systems?
Christ Schlacta wrote:
is there any reason that a posix usernames, groups, passwords, etc. must be stored in distinct locations in a directory ? I realize this mostly applies to the padl pam/nis and the libnsspam-ldapd module specific.
can they be stored in other structures effectively and usefully? can they be stored on a department by department basis, or in any other organizational scheme? (ou=arbitrary1,dc=... having groups and users, while ou=arb2,ou=arb3,dc=... also has users and groups?) if a scheme like the above is used, will all users and groups be available on a system? must they be free of naming conflicts, or will group=users,ou=arbitrary1,... be different from group=users,ou=arb2,ou=arb3,... ? if they're different, how would this be indicated by the systems?
A POSIX system considers usernames to be a flat namespace. If you store them in separate branches of a directory, you create the possibility of having duplicate names in separate branches, and the base OS will not be able to handle that.
This question has nothing to do with LDAP and has no place on this forum.
On 1/5/2011 17:01, Howard Chu wrote:
Christ Schlacta wrote:
is there any reason that a posix usernames, groups, passwords, etc. must be stored in distinct locations in a directory ? I realize this mostly applies to the padl pam/nis and the libnsspam-ldapd module specific.
can they be stored in other structures effectively and usefully? can they be stored on a department by department basis, or in any other organizational scheme? (ou=arbitrary1,dc=... having groups and users, while ou=arb2,ou=arb3,dc=... also has users and groups?) if a scheme like the above is used, will all users and groups be available on a system? must they be free of naming conflicts, or will group=users,ou=arbitrary1,... be different from group=users,ou=arb2,ou=arb3,... ? if they're different, how would this be indicated by the systems?
A POSIX system considers usernames to be a flat namespace. If you store them in separate branches of a directory, you create the possibility of having duplicate names in separate branches, and the base OS will not be able to handle that.
This question has nothing to do with LDAP and has no place on this forum.
in fact your answer is perfect and sufficiently answers all the questions. if the underlying operating system doesn't support it, then ldap can't be used for it. thank you :)
openldap-technical@openldap.org
-
Christ Schlacta -
Howard Chu