Re: Advice regarding ldap (building my tree)

[Dan White <dwhite@olp.net>]

On 09/28/12 18:40 +0100, Mik J wrote:
> Hello,
>
> I'm setting up my openldap server and I would like an advice from experimented users.
>
> My domain is dc=mycompany,dc=org
>
>
> My company will have:
> - employees
> - clients
> - partners
>
> How should I organise my tree ? for example ?
> o=MyCompany, dc=mycompany,dc=org
> o=Client1, dc=mycompany,dc=org
> o=Client2, dc=mycompany,dc=org
> o=Partner1, dc=mycompany,dc=org
>
> Or can I group clients ?
> o=Client1, ??=Clients, dc=mycompany,dc=org
> o=Client2, ??=Clients, dc=mycompany,dc=org
> What would be "??" if I want to make a group called Clients ?
>
> Or my approach is not good ?
> If someone has advices (or links that describe a real life case) I'll be more than happy to read them.

I personally prefer breaking up my DIT by function, rather than by
company organization, e.g.:

uid=user1@companydomain1,ou=people,dc=mycompany,dc=org
uid=userx@companydomain2,ou=people,dc=mycompany,dc=org
cn=mygroup,ou=groups,dc=mycompany,dc=org
cn=myalias,ou=aliases,dc=mycompany,dc=org

Then, if I need to restrict an ldap search to one or more organizations, I
do so by placing an identifying attribute within the user's entry, and find
them with a filter.

Filters are generally a more flexible way to organize your users than
a base.

--
Dan White