[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Filter on DN



On Mon, 2004-08-23 at 06:10, Imobach González Sosa wrote:
> Hi all,
> 
> We have an OpenLDAP server to authenticate our users. The namespace is divided 
> into three "organizations":
> 
> ou=Students,ou=Personal,dc=XXX,dc=XXX
> ou=Teachers,ou=Personal,dc=XXX,dc=XXX
> ou=Administrative,ou=Personal,dc=XXX,dc=XXX
> 
> We have also two IMAP servers: the first one, authenticate users against 
> "ou=Students". That's right and works fine. But, the other one, have to 
> authenticate against Teachers and Administrative. So, I need a filter to 
> search only in those namespaces.
> 
> Is this possible? Any ideas?
> 
> Anyway, I guess that exists different approaches to a solution without 
> filtering:
> 
> 1) Group Teachers and Administrative in another "ou" and find users in this 
> new 'ou'.
> 2) Flat the hierarchy and pass the "Teachers", "Administrative" or "Students" 
> to and attribute.
> 
> Any advice concerning this issue?
> 
> Thank you in advance.
From my own experience, relying on OUs for classification leads to
difficulty, mostly because of users who have multiple classifications,
for example, an Administrative member who is also a Teacher.  The use of
OUs can also lead to administrative overhead, such as moving users
around the DIT when their classification changes.  My rule-of-thumb has
always been to keep things as "flat" as possible, and use
attributes/filtering to determine classification.

I use OUs only to segregate objects that will never need classification
changes -- a computer will never be a person, a printer will never be a
classroom, etc.

  This methodology has worked well for a few years in our ~45,000 user
iPlanet Directory (moving to OpenLDAP) and our ~10,000 user Active
Directory.

Just my $0.02,
-Matt
-- 
Matthew J. Smith <matt.smith@uconn.edu>
University of Connecticut ITS
PGP Key: http://web.uconn.edu/dotmatt/matt.asc

Attachment: signature.asc
Description: This is a digitally signed message part