I am using OpenLDAP 2.2.
I have two types of entries in our directory: people and accounts. I want
to
be able to easily determine which accounts are owned by which people. (A
people entry belongs to one actual person, while a person may own several
accounts.) The current thinking is to use a local objectclass and
attribute
(localAccount). So we may have:
dn: cn=123,...
objectClass: inetOrgPerson
objectClass: localPerson
cn=123
localAccount: uid=abc,...
localAccount: uid=efg,...
And our account:
dn: uid=abc,...
objectClass: inetOrgPerson
objectClass: localAccount
uid=abc
localPerson: cn=123,...
This way its easy to map back and forth between entries.
I would think that locating which accounts belong to which people is a
common occurance. It can be difficult to enforce a one person/one account
rule in many organizations.
Better suggestions?