Hello,
Suppose I have the following DN's:
inetOrgPerson: [uid=alice,dc=example,dc=com]
organizationalRole: [cn=manager,ou=groups,dc=example,dc=com] [cn=supervisor,ou=groups,dc=example,dc=com]
locality: [l=phoenix,ou=division,dc=example,dc=com] [l=portland,ou=division,dc=example,dc=com]
How can I store in my directory the fact that Alice is a manger at the Phoenix division, but she is only a supervisor at the Portland division? I know group membership is involved here, but what's the best way to represent that group membership to optimize searches such as: Return all the people with a specific role at a specific locality, or return all the roles and localities for a person.
-Hung.
Hung Luu hung.n.luu@gmail.com writes:
Hello,
Suppose I have the following DN's:
inetOrgPerson: [uid=alice,dc=example,dc=com]
organizationalRole: [cn=manager,ou=groups,dc=example,dc=com] [cn=supervisor,ou=groups,dc=example,dc=com]
locality: [l=phoenix,ou=division,dc=example,dc=com] [l=portland,ou=division,dc=example,dc=com]
How can I store in my directory the fact that Alice is a manger at the Phoenix division, but she is only a supervisor at the Portland division? I know group membership is involved here, but what's the best way to represent that group membership to optimize searches such as: Return all the people with a specific role at a specific locality, or return all the roles and localities for a person.
Create dynamic groups or dynamic lists, man slapo-dynlist(5).
-Dieter
Hung Luu wrote:
Suppose I have the following DN's:
inetOrgPerson: [uid=alice,dc=example,dc=com]
organizationalRole: [cn=manager,ou=groups,dc=example,dc=com] [cn=supervisor,ou=groups,dc=example,dc=com]
locality: [l=phoenix,ou=division,dc=example,dc=com] [l=portland,ou=division,dc=example,dc=com]
How can I store in my directory the fact that Alice is a manger at the Phoenix division, but she is only a supervisor at the Portland division? I know group membership is involved here, but what's the best way to represent that group membership to optimize searches such as: Return all the people with a specific role at a specific locality, or return all the roles and localities for a person.
You could also use slapo-memberof to populate the member entries with a back-reference to the group entries which make some queries a lot easier.
Ciao, Michael.
2010/1/9 Michael Ströder michael@stroeder.com
Hung Luu wrote:
Suppose I have the following DN's:
inetOrgPerson: [uid=alice,dc=example,dc=com]
organizationalRole: [cn=manager,ou=groups,dc=example,dc=com] [cn=supervisor,ou=groups,dc=example,dc=com]
locality: [l=phoenix,ou=division,dc=example,dc=com] [l=portland,ou=division,dc=example,dc=com]
How can I store in my directory the fact that Alice is a manger at the Phoenix division, but she is only a supervisor at the Portland division? I know group membership is involved here, but what's the best way to represent that group membership to optimize searches such as: Return all the people with a specific role at a specific locality, or return all the roles and localities for a person.
You could also use slapo-memberof to populate the member entries with a back-reference to the group entries which make some queries a lot easier.
Ciao, Michael.
Suppose I have a group of roles and a group of localities, so that I have the following representation of group membership:
[cn=manager,ou=groups,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
[cn=supervisor,ou=groups,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
[l=phoenix,ou=divisions,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
[l=portland,ou=divisions,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
How will slapo-memberof tell me which role Alice has at which locality? What would the query look like?
Dynamic groups look promising, but would I have to create a dynamic group for each user-role mapping? Using cn=config, I should be able to add new dynamic groups on the fly without restarting slapd?
Thanks, Hung.
Hung Luu wrote:
2010/1/9 Michael Ströder <michael@stroeder.com mailto:michael@stroeder.com>
Hung Luu wrote: > Suppose I have the following DN's: > > inetOrgPerson: > [uid=alice,dc=example,dc=com] > > organizationalRole: > [cn=manager,ou=groups,dc=example,dc=com] > [cn=supervisor,ou=groups,dc=example,dc=com] > > locality: > [l=phoenix,ou=division,dc=example,dc=com] > [l=portland,ou=division,dc=example,dc=com] > > How can I store in my directory the fact that Alice is a manger at the > Phoenix division, but she is only a supervisor at the Portland division? > I know group membership is involved here, but what's the best way to > represent that group membership to optimize searches such as: Return all > the people with a specific role at a specific locality, or return all > the roles and localities for a person. You could also use slapo-memberof to populate the member entries with a back-reference to the group entries which make some queries a lot easier.Suppose I have a group of roles and a group of localities, so that I have the following representation of group membership:
[cn=manager,ou=groups,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
[cn=supervisor,ou=groups,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
[l=phoenix,ou=divisions,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
[l=portland,ou=divisions,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
How will slapo-memberof tell me which role Alice has at which locality? What would the query look like?
Sorry, seems I mis-read your requirement. Off course you have to store the relation in some kind of 2-tuple. You could create entries for the organizational roles below the locations if that isn't too static.
Ciao, Michael.
2010/1/9 Michael Ströder michael@stroeder.com
Hung Luu wrote:
2010/1/9 Michael Ströder <michael@stroeder.com mailto:michael@stroeder.com>
Hung Luu wrote: > Suppose I have the following DN's: > > inetOrgPerson: > [uid=alice,dc=example,dc=com] > > organizationalRole: > [cn=manager,ou=groups,dc=example,dc=com] > [cn=supervisor,ou=groups,dc=example,dc=com] > > locality: > [l=phoenix,ou=division,dc=example,dc=com] > [l=portland,ou=division,dc=example,dc=com] > > How can I store in my directory the fact that Alice is a manger atthe
> Phoenix division, but she is only a supervisor at the Portland division? > I know group membership is involved here, but what's the best wayto
> represent that group membership to optimize searches such as: Return all > the people with a specific role at a specific locality, or returnall
> the roles and localities for a person. You could also use slapo-memberof to populate the member entries witha
back-reference to the group entries which make some queries a lot easier.Suppose I have a group of roles and a group of localities, so that I have the following representation of group membership:
[cn=manager,ou=groups,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
[cn=supervisor,ou=groups,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
[l=phoenix,ou=divisions,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
[l=portland,ou=divisions,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
How will slapo-memberof tell me which role Alice has at which locality? What would the query look like?
Sorry, seems I mis-read your requirement. Off course you have to store the relation in some kind of 2-tuple. You could create entries for the organizational roles below the locations if that isn't too static.
Ciao, Michael.
No worries, Michael, I really appreciate your input (and everyone who has replied).
My use cases dictate that every locality may have the same set of roles, so do you see a better way to accomplish this other than duplicating role entries under each locality?
The other thing I was contemplating was to flip group membership around so that groups become members of a user, something like this:
[ou=alice,ou=people,dc= example,dc=com] [cn=role1] member: cn=manager,ou=groups,dc=example,dc=com member: l=phoenix,ou=divisions,dc=example,dc=com
[cn=role2] member: cn=supervisor,ou=groups,dc=example,dc=com member: l=portland,ou=divisions,dc=example,dc=com
This layout saved me from duplicating role entries under each locality, but something about this layout smells to me, it just doesn't feel right for some reason.
Thanks, Hung.
On 09/01/10 23:19, Hung Luu wrote:
2010/1/9 Michael Ströder <michael@stroeder.com mailto:michael@stroeder.com>
Hung Luu wrote: > Suppose I have the following DN's: > > inetOrgPerson: > [uid=alice,dc=example,dc=com] > > organizationalRole: > [cn=manager,ou=groups,dc=example,dc=com] > [cn=supervisor,ou=groups,dc=example,dc=com] > > locality: > [l=phoenix,ou=division,dc=example,dc=com] > [l=portland,ou=division,dc=example,dc=com] > > How can I store in my directory the fact that Alice is a manger at the > Phoenix division, but she is only a supervisor at the Portland division? > I know group membership is involved here, but what's the best way to > represent that group membership to optimize searches such as: Return all > the people with a specific role at a specific locality, or return all > the roles and localities for a person. You could also use slapo-memberof to populate the member entries with a back-reference to the group entries which make some queries a lot easier. Ciao, Michael.Suppose I have a group of roles and a group of localities, so that I have the following representation of group membership:
[cn=manager,ou=groups,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
[cn=supervisor,ou=groups,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
[l=phoenix,ou=divisions,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
[l=portland,ou=divisions,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
How will slapo-memberof tell me which role Alice has at which locality? What would the query look like?
You could have groups under each location, like : [l=phoenix,ou=divisions,dc=example,dc=com] [cn=managers,l=phoenix,ou=divisions,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
[l=portland,ou=divisions,dc=example,dc=com] [cn=supervisors,l=phoenix,ou=divisions,dc=example,dc=com] member: uid=alice,ou=people,dc=example,dc=com
And then memberOf would show these groups.
Or, you could just store managers and supervisors as attribute values in the location's entry, and use a dynamic group to get a list of all manager.
Dynamic groups look promising, but would I have to create a dynamic group for each user-role mapping? Using cn=config, I should be able to add new dynamic groups on the fly without restarting slapd?
Yes. You may need to load the overlay as a module, if you don't have it compiled in statically, then add the overlay config object under your database.
Regards, Jonathan
openldap-technical@openldap.org
-
Dieter Kluenter -
Hung Luu -
Jonathan Clarke -
Michael Ströder