[Date Prev][Date Next] [Chronological] [Thread] [Top]

Considering OpenLDAP - Functionality Questions.

I work at a University in the US Mountain West. We're looking to implement a Directory tree to handle user account management for computer labs and workstations. Once we're rolled out we'll want to allow different organizations to manage certain aspects of their organization, represented as organizational units in the tree. Consequently, most accounts would have read access to portions of all the information (home directory, UIDs, default shell, etc). Organizational Admins would also have full read access of their scope of the tree, as well as modify privileges in certain circumstances. We would also want to maintain central administration of the entire tree. I'm familiar with some other directory products such as eDirectory and Active Directory, but not OpenLDAP specifically. I'd appreciate it if any of you could take a moment or two to answer some "pre-sales" type questions. (I wasn't able to find the answers on my own).

Example of our directory structure

 ou-Org Unit 1
 |    |
 |    cn-Admin Org 1
 |    cn-user1a
 |    cn-user1b
 ou-Org Unit 2
      cn-Admin Org 2
(and so on)

Does OpenLDAP have the ability (possibly via ACL's or a similar mechanism) to allow certain accounts in the DIT root access to portions of the tree? For instance, the Admin of Org 1 has read/modify access to Org Unit 1, but not Org Unit 2, and vice versa for the Admin of Org 2.

Alternately, is it possible to set up, via slurpd, a replica of the tree so that the Main server would have a copy of the entire tree, but the entire Org Unit 1 structure would also live on a separate server, allowing total access to the root of that particular server? (Obviously Modify's would need to take place at the master server, but this would at least allow full read only access to the Organizational admin).

I do appreciate your time in answering these two questions.

Paul Anderson
Assistant System Administrator
Brigham Young University