Re: Advice regarding ldap (building my tree)

[Dan White <dwhite@olp.net>]

On 10/01/12 20:12 +0100, Mik J wrote:
> > >  De : Dan White <dwhite@olp.net>
> > >
> > >  I personally prefer breaking up my DIT by function, rather than by
> > >  company organization, e.g.:
> > >
> > >  uid=user1@companydomain1,ou=people,dc=mycompany,dc=org
> > >  uid=userx@companydomain2,ou=people,dc=mycompany,dc=org
> > >  cn=mygroup,ou=groups,dc=mycompany,dc=org
> > >  cn=myalias,ou=aliases,dc=mycompany,dc=org
> > >
> > >  Then, if I need to restrict an ldap search to one or more
> > >  organizations, I do so by placing an identifying attribute within the
> > >  user's entry, and find them with a filter.
> > >
> > >  Filters are generally a more flexible way to organize your users than
> > >  a base.
>
> Hello Dan,I've started to think about your way to implement this and I've
> notice that having a uid that looks like an email address is mandatory to
> achieve what I want. Right now my uids don't look like an email address
> but more like one_letter+family name Because you use emails as uids and
> you do filtering based on regex applied to emails, do you need groups ?

I maintain ldap groups to store unix group membership, and for ACL
enforcement.

I do not typically use groups for user authentication and authorization.

--
Dan White