[Date Prev][Date Next] [Chronological] [Thread] [Top]

Paper on LDAP schema design

To: openldap-software@OpenLDAP.org
Subject: Paper on LDAP schema design
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Wed, 16 Mar 2005 22:23:53 +0000
Content-disposition: inline
User-agent: Mutt/1.5.6i

Questions about schema design come up from time to time, and there seems
to be little general advice available. I have tried to fill part of the
gap with a paper recently presented at the UKUUG Winter Conference:

http://www.skills-1st.co.uk/papers/ldap-schema-design-feb-2005/index.html

Here is the abstract:

	LDAP Schema Design


	It is possible to make one LDAP directory serve many applications
	in an organisation. This has the advantage of reducing the effort
	required to maintain the data, but it does mean that the design
	must be thought out very carefully before implementation starts.

	LDAP directories are structured as a tree of entries, where each
	entry consists of a set of attribute-value pairs describing
	one object. The objects are often people, organisations, and
	departments, but can be anything at all.  Schema is the term
	used to describe the shape of the directory and the rules that
	govern its content.

	A hypothetical organisation is described, with requirements
	for `white pages' directory service as well as a wide range of
	authentication, authorisation, and application-specific directory
	needs. The issues arising from the LDAP standards are discussed,
	along with the problems of maintaining compatibility with a
	range of existing LDAP clients.

	Some options are examined for the layout of the directory tree,
	with particular emphasis on avoiding the need to re-organise it
	later. This involves careful separation of the data describing
	people, departments, groups, and application-specific objects. A
	simple approach to entry design is proposed, based on the use of
	locally-defined auxiliary object classes.  The effects of schema
	design on lookup performance are discussed. Some design tricks
	and pitfalls are presented, based on recent consulting experience.

Comments are welcome.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

Prev by Date: Re: time.conf and LDAP
Next by Date: Re: slapadd: dn="uid=someone,ou=users,o=somedomain.com" (line=44): (65) attribute 'c' not allowed
Index(es):
- Chronological
- Thread