[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: a question about ou's
"Jankok, Lucio" wrote:
> I have like 26 subdomains to put in the directory.
>
> I have to do it like this, if I got it right (?);
> database ldbm
> suffixAlias "dc=stadhuis, dc=utrecht, dc=nl"n "dc=utrecht, dc=nl"
> ....
> suffix "dc=utrecht, dc=nl"
> suffix "dc=stadhuis, dc=utrecht, dc=nl"
Again, it depends on what you want to obtain.
In this case, let's say you must store people in your DS.
Let's say you belong to the base domain, and I belong to
the first subdomain.
You have two choices:
1) you want HARD subdomains:
dc=utrecht, dc=nl
--> ou=People, dc=utrecht, dc=nl
--> cn=Lucio, ou=People, dc=utrecht, dc=nl
--> ...
--> dc=stadhuis, dc=utrecht, dc=nl
--> ou=People, dc=stadhuis, dc=utrecht, dc=nl
--> cn=Pierangelo, ou=People, dc=stadhuis, dc=utrecht, dc=nl
--> ...
In this case you need no suffixAlias, everybody is in its
right subdomain and everything works fine. Only, you
need to build the right base before performing operations.
2) you want SOFT subdomains:
dc=utrecht, dc=nl
--> ou=People, dc=utrecht, dc=nl
--> cn=Lucio, ou=People, dc=utrecht, dc=nl
--> cn=Pierangelo, ou=People, dc=utrecht, dc=nl
--> ...
In this case you need some trick to distinguish between my domain
and your domain. One clever way could be to use a special attribute,
say "domainComponent"; in this case I would have "stadhuis" and
you would have none. Another would be to use groups: you might
create a group for people that are in the base domain and a group
for each subdomain:
--> ou=Groups, dc=utrecht, dc=nl
--> cn=Base, ou=Groups, dc=utrecht, dc=nl
--> cn=Stadhuis, ou=Groups, dc=utrecht, dc=nl
--> ...
with me as member of the latter and you member of the former.
In this case you may add suffixAliases to allow virtual naming
context access to entries, e.g.
suffixAlias "dc=stadhuis, dc=utrecht, dc=nl" "dc=utrecht, dc=nl"
suffix "dc=utrecht, dc=nl"
suffix "dc=stadhuis, dc=utrecht, dc=nl"
but beware, this doesn't partition the data into separate naming
contexts, on the contrary, everything gets mixed up.
Both methods share advantages and disadvantages. The second
seems preferable to me if you have no problems in mixing stuff
(i.e. you do not have special inter-domain security requirements
or special administrative problems), because it gives you an overall
view of people (you may configure your address book to fetch
everybody simultaneously by looking at ou=People) and
simultaneously gives you the possibility to separate people inACLs
and in applications.
Pierangelo.
--
Dr. Pierangelo Masarati | voice: +39 02 2399 8365
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy | http://www.aero.polimi.it/~masarati