[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-ldap meta backend and flat ldap migration

To: openldap-software@OpenLDAP.org
Subject: Re: slapd-ldap meta backend and flat ldap migration
From: "Medievalist" <ldap@HBCS.Org>
Date: Wed, 07 Apr 2004 11:37:28 -0500
Content-description: Mail message body
In-reply-to: <40731F54.9030304@associates.usss.treas.gov>

I (in my capacity as a total nobody) recommend against using such a structure.  
I've gone down that path with NDS in the past, and it adds complication without 
any benefit whatsover.

In general you want ou's to be for really high-level taxonomic distinctions, 
like ou=People and ou=WindowsPCs for example.  Manage the minor distinctions 
you are talking about through group memberships, this will fit nicely with 
"traditional" paradigms that are taken for granted in Windows, *nix, VMS, and 
the like.  You can easily control access with posix groups, and you can sync 
your unix, VMS and windows groups which will give you a consistent ACL 
structure across OSes.

If you have WAN-connected sites and limited bandwidth you might want to do per-
site ou's so that the master database for each site is physically on that site, 
and lookups across sites are accomplished with OpenLDAP behind-the-scenes 
magic.  I don't recommend that either, I'd just use replicas, but I think some 
people with really large dbs are doing it that way.

No ou's are better than too many ou's.

Discussion of optimal db structure is off-topic for this list, and I'm not an 
expert anyway, so I'll shut up now.

--Charlie

On 6 Apr 2004 at 17:21, James Saint-Rossy wrote:

> I'm migrating a poorly configured LDAP (flat with no ou's) to one that 
> has structure.  My problem is that several of the applications that use 
> the LDAP can't handle users/groups in ou's.  I need an temporary 
> solution so that I can go ahead with migrating the LDAP, without having 
> to wait for the vendors to fix their clients.  I've been playing around 
> with slapd-ldap but can't figure out how to do the following.
> 
> Here is my structure
> 
> O=company,c=us
> 	ou=sales
> 	ou=engineers
> 	ou=admin
> 	ou=groups
> 
> When the user "jdoe" logs on the application tries the following
>  >BIND dn=""
>  >SRCH base="o=company,c=us" scope=1 filter="(uid=jdoe)"
> 
> User jdoe can be in any of the ou's.  So here are some questions
> 1.  Is there a way to change the search scope with slapd-ldap?
> 2.  Can I change the base depending on the filter?
> 3.  Can I use slapd-ldap to completely flatten the ldap?
> 
> Thanks, James.

References:
- slapd-ldap meta backend and flat ldap migration
  - From: James Saint-Rossy <jsaint-rossy@associates.usss.treas.gov>

Prev by Date: Re: ldap_get_values returns NULL when attribute got more then 1000 values.
Next by Date: RE: backing up: slapcat vs. ldapsearch vs. db_checkpoint
Index(es):
- Chronological
- Thread