[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Advice regarding ldap (building my tree)



> De : Mik J <mikydevel@yahoo.fr>

> À : "openldap-technical@openldap.org" <openldap-technical@openldap.org>
> 
>>  De : Dan White <dwhite@olp.net>
> 
>>  À : Mik J <mikydevel@yahoo.fr>
>> 
>>  On 09/28/12 18:40 +0100, Mik J wrote:
>>>  Hello,
>>> 
>>>  I'm setting up my openldap server and I would like an advice from 
>>  experimented users.
>>> 
>>>  My domain is dc=mycompany,dc=org
>>> 
>>> 
>>>  My company will have:
>>>  - employees
>>>  - clients
>>>  - partners
>>> 
>>>  How should I organise my tree ? for example ?
>>>  o=MyCompany, dc=mycompany,dc=org
>>>  o=Client1, dc=mycompany,dc=org
>>>  o=Client2, dc=mycompany,dc=org
>>>  o=Partner1, dc=mycompany,dc=org
>>> 
>>>  Or can I group clients ?
>>>  o=Client1, ??=Clients, dc=mycompany,dc=org
>>>  o=Client2, ??=Clients, dc=mycompany,dc=org
>>>  What would be "??" if I want to make a group called Clients ?
>>> 
>>>  Or my approach is not good ?
>>>  If someone has advices (or links that describe a real life case) 
> I'll be 
>>  more than happy to read them.
>> 
>>  I personally prefer breaking up my DIT by function, rather than by
>>  company organization, e.g.:
>> 
>>  uid=user1@companydomain1,ou=people,dc=mycompany,dc=org
>>  uid=userx@companydomain2,ou=people,dc=mycompany,dc=org
>>  cn=mygroup,ou=groups,dc=mycompany,dc=org
>>  cn=myalias,ou=aliases,dc=mycompany,dc=org
>> 
>>  Then, if I need to restrict an ldap search to one or more organizations, I
>>  do so by placing an identifying attribute within the user's entry, and 
> find
>>  them with a filter.
>> 
>>  Filters are generally a more flexible way to organize your users than
>>  a base.
> 
> 
> Hello Dan,
> Thank you for your advice. I will consider this option seriously.
> I would also like to hear other people's implementation.
> Have a nice week


Hello Dan,I've started to think about your way to implement this and I've notice that having a uid that looks like an email address is mandatory to achieve what I want. Right now my uids don't look like an email address but more like one_letter+family name
Because you use emails as uids and you do filtering based on regex applied to emails, do you need groups ?
Thank you