[Date Prev][Date Next] [Chronological] [Thread] [Top]

DIT tree question

Could the LDAP heavyweight share some light on a DIT tree design issue
we have?

We have user that _might_ be in several ou's, usually they aren't. Our
problem is that these different ou's want to store different attributes
that are specific for their ou. Some of these attribute names might be
the same accross different ou's, but the values will be different.

Thus, we can either use dn's such as

uid=alan, ou=ABC, dc=ecomda, dc=de    for ou ABC
uid=alan, ou=XYZ, dc=ecomda, dc=de    for ou XYZ etc.
uid=alan, ou=VBG, dc=ecomda, dc=de

This would allow us to store different attributes for this user for each
ou, but it would be an administrative problem since we must synchronize
the data that is really common, including password etc.

We could also use dn's such as

uid=alan, dc=ecomda, dc=de                     for the common attributes

ou=ABC, uid=alan, dc=ecomda, dc=de     for the attributes specific to
ou=XYZ, uid=alan, dc=ecomda, dc=de     for the attributes specific to
ou=XYZ, etc.
ou=VBG, uid=alan, dc=ecomda, dc=de

This would be nice since we wouldn't duplicate attributes, and we could
use different object classes to store different ou data.

The problem with the latter design is that it might be harder to
subdivide the tree to different servers based on subtrees for each ou,
or to make attributes visible based on ou.

The ideal sollution would be to have both ways of accessing the data,
ie. use the second approach, but also be able to have the first dn's as
an LDAP "view".

I've also heard about auxilary objects which would solve our need if
they cold be labeled with the ou's name, but I don't have more
information at hand about these.

I'm quite new to LDAP so please bear with me if I have overlooked

- Torgeir