[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Design question
- To: openldap-technical@openldap.org
- Subject: Design question
- From: Isaac Hailperin <hailperin@zib.de>
- Date: Wed, 21 Jul 2010 14:49:30 +0200
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.10) Gecko/20100528 Thunderbird/3.0.5
Hi,
currently I am redesigning the ldap server for a site which has about
700 users, with approximatly 200 new user per year, and maybe a little
less dropping out every year.
The information about the lifetime of an account is kept in a different
database(mysql). Thus, in order to check if an account is expired, I
need to check with that database. While this might not be the happiest
situation, it is partly due to historical rereasons, partly due to other
restrictions beyond my reach. In any case, there is nothing I can do
about it.
Now I would like to have a way to make shure that usernames and
numerical uids will never get reused. Also, I would like to keep trac of
who had an account, sort of a history.
Two ideas came to my mind:
1. Have an "expired" flag in the schema. Records with the expired flag
would be blocked from login with an appropriate acl.
2. Have an archive subtree, where expired records get moved to.
The beauty of the first idea seems to me that it is very simple. The
downside is that there would be two places where the expired flag would
live, the ldap server and the other database (see above). Also, over the
years, the number of records in the people subtree would grow and grow
(not shure if this is an disadvantage though).
The beauty of the second idea is that the people subtree would be
"clean", containing only active accounts. The downside seems to me that
it looks a bit more involved.
Now I was wondering how other people have solved this, or if anyone
would favor on of the solution.
thank you,
Isaac