Could the LDAP heavyweight share some light on a DIT tree design issue
we have?
We have user that _might_ be in several ou's, usually they aren't. Our
problem is that these different ou's want to store different
attributes that are specific for their ou. Some of these attribute
names might be the same accross different ou's, but the values will
be different.
Thus, we can either use dn's such as
uid=alan, ou=ABC, dc=ecomda, dc=de for ou ABC
uid=alan, ou=XYZ, dc=ecomda, dc=de for ou XYZ etc.
uid=alan, ou=VBG, dc=ecomda, dc=de
This would allow us to store different attributes for this user for
each ou, but it would be an administrative problem since we must
synchronize the data that is really common, including password etc.
We could also use dn's such as
uid=alan, dc=ecomda, dc=de for the common
attributes
ou=ABC, uid=alan, dc=ecomda, dc=de for the attributes specific to
ou=ABC
ou=XYZ, uid=alan, dc=ecomda, dc=de for the attributes specific to
ou=XYZ, etc.
ou=VBG, uid=alan, dc=ecomda, dc=de
This would be nice since we wouldn't duplicate attributes, and we
could use different object classes to store different ou data.
The problem with the latter design is that it might be harder to
subdivide the tree to different servers based on subtrees for each ou,
or to make attributes visible based on ou.
The ideal sollution would be to have both ways of accessing the data,
ie. use the second approach, but also be able to have the first dn's
as an LDAP "view".
I've also heard about auxilary objects which would solve our need if
they cold be labeled with the ou's name, but I don't have more
information at hand about these.
I'm quite new to LDAP so please bear with me if I have overlooked
anything.
--
- Torgeir