Hi all, i have a stupid question but can you check this ?
When do we need to use LDAP groups versus Tree ?
I mean : I have to built a directory service.
Should I use a tree like :
dc=fr |_dc=enterprise | |_ou=unit_1 | |_ cn=guy_1 | |_ cn=guy_2 | |_ cn=guy_3 | |_ou=unit_2 |_cn=guy_1
Or should I use group like :
dc=fr |_dc=enterprise | | | |_ou=unit_1 | | member : dn:cn=guy_1,ou=people,dc=enterprise,dc=fr | | member : dn:cn=guy_2,ou=people,dc=enterprise,dc=fr | | member : dn:cn=guy_3,ou=people,dc=enterprise,dc=fr | | | |_ou=unit_2 | member : dn:cn=guy_1,ou=people,dc=enterprise,dc=fr | |_dc=people |_ cn: guy_1 |_ cn: guy_2 |_ cn: guy_3
Thanks a lot guys.
Hi , ok I have the answer. Sorry for this noob's question. ________________________________ De : openldap-technical openldap-technical-bounces@openldap.org de la part de Olivier - piwako@outlook.fr Envoyé : jeudi 28 mars 2019 11:22 À : openldap-technical@openldap.org Objet : Tree versus group
Hi all, i have a stupid question but can you check this ?
When do we need to use LDAP groups versus Tree ?
I mean : I have to built a directory service.
Should I use a tree like :
dc=fr |_dc=enterprise | |_ou=unit_1 | |_ cn=guy_1 | |_ cn=guy_2 | |_ cn=guy_3 | |_ou=unit_2 |_cn=guy_1
Or should I use group like :
dc=fr |_dc=enterprise | | | |_ou=unit_1 | | member : dn:cn=guy_1,ou=people,dc=enterprise,dc=fr | | member : dn:cn=guy_2,ou=people,dc=enterprise,dc=fr | | member : dn:cn=guy_3,ou=people,dc=enterprise,dc=fr | | | |_ou=unit_2 | member : dn:cn=guy_1,ou=people,dc=enterprise,dc=fr | |_dc=people |_ cn: guy_1 |_ cn: guy_2 |_ cn: guy_3
Thanks a lot guys.
On 3/28/19 11:22 AM, Olivier - wrote:
When do we need to use LDAP groups versus Tree ?
Without knowing what you want to achieve nobody can tell. So what you want to do? Which access control do you need?
In general you should try to keep your DIT (directory information tree) as flat as possible because the more attributes are part of the DN the more likely you have to rename/move the entry when modifying data.
Ciao, Michael.
--On Thursday, March 28, 2019 11:22 AM +0000 Olivier - piwako@outlook.fr wrote:
Hi all,
i have a stupid question but can you check this ? When do we need to use LDAP groups versus Tree ?
Generally you're talking about two different things.
The tree is how you organize where entries will live inside the database. A group is a reference to entries in your tree. So you may have something like:
dn: dc=mybase,dc=com (root of the database tree) dn: cn=people,dc=mybase,dc=com (subtree for storing people entries) dn: cn=groups,dc=mybase,dc=com (subtree for storing group entries)
Then say we have 5 people:
dn: uid=joe,cn=people,dc=mybase,dc=com dn: uid=jean,cn=people,dc=mybase,dc=com dn: uid=frank,cn=people,dc=mybase,dc=com dn: uid=april,cn=people,dc=mybase,dc=com dn: uid=samantha,cn=people,dc=mybase,c=com
Now, these people may belong to different (and multiple) groups. For example:
dn: cn=staff,cn=groups,dc=mybase,dc=com member: uid=joe,cn=people,dc=mybase,dc=com member: uid=jean,cn=people,dc=mybase,dc=com member: uid=april,cn=people,dc=mybase,dc=com
dn: cn=students,cn=groups,dc=mybase,dc=com member: uid=frank,cn=people,dc=mybase,dc=com member: uid=samantha,cn=people,dc=mybase,dc=com
dn: cn=human resources,cn=groups,dc=mybase,dc=com member: uid=joe,cn=people,dc=mybase,dc=com
dn: cn=faculty,cn=groups,dc=mybase,dc=com member: uid=jean,cn=people,dc=mybase,dc=com
In the above example:
Joe, Jean, and April are all staff of the organization Frank and Samantha are students
Joe is in HR Jean is faculty.
etc.
Hope that helps!
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Michael Ströder -
Olivier - -
Quanah Gibson-Mount