--On Tuesday, April 14, 2015 5:52 PM +0400 Poul Etto zepouletto@gmail.com wrote:

There are "u" user accounts on the ldap server We have a number of "s" services that use LDAP to manage user account. Each service has particular attributes Each service must be able to access only it's information Basic services use only the information contained in the standard LDAP useraccount Advanced services have dedicated OUs with special attributes

It is important that each service can accees in RO (no modification) to only it's information. That's why we made our LDAP as it is in the attached picture.

This is what custom objectClasses and ACLs are for.

Here's an example of a directory set up correctly: https://itservices.stanford.edu/service/directory/datadefs/accounts

Where services are tied to the user object, with their own specific attributes. ACLs can be used to restrict what data a given service can retrieve.

--Quanah

--

Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration