[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: about ldap tree philosophy

To: <OpenLDAP-software@OpenLDAP.org>
Subject: Re: about ldap tree philosophy
From: "Jonathan Higgins" <jhiggins@kennesaw.edu>
Date: Sun, 09 Mar 2003 00:50:08 -0500
Content-disposition: inline

the ldap recipe in the middleware section of the internet2 project has alot of tips on tree design..
http://www.georgetown.edu/giia/internet2/ldap-recipe/

as far as groups go, the recipe also has some good information..

There are two ways to deal with groups.  A direct method and an indirect.

The direct method is as you stated.  Create the group using groupofNames or posixgroup and list the members inside the group under memberUid or member attributes.

The indirect method is to extend the schema and add an attribute to each individual person.  A multi-valued attribute called isaMemberOf.  The values of this attribute would be the dn or name of each group that an a person is a member.

This will help you with determining who is in a group and what groups an person has membership.

I have not tried this yet, but Ive also been reading about dynamic groups. An attribute inside some group object allows the membership to be described as a uri.  example: ldap://hostname?(isaMemberOf=other), which would dynamically go through the people and search for anyone that matches the filter.

last .. there is an rfc out there that describes the names of base organizational units but I forget the number.  It lists people, hosts, group, services, networks, aliases, and so on..
Jonathan Higgins
Network Service Specialist IV
Kennesaw State University
jhiggins@kennesaw.edu

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
>>> Ace Suares <ace@suares.nl> 03/07/03 18:37 PM >>>

'alo,
> Hello,
>
> I've no problem with LDAP software, server and tools are fine.
>
> Now I'm thinking about a real tree and need some idea, usual, and so on
> about tree.
> What the best way for handling that kind of stuff :
>
> People :
>     with all people information (phone, add...),
>     where each has a unique id (login).
> Groups :
>     A place for drawing groups tree like
>     - commercial
>     - - - marketing
>     - - - sell
>     - support
>     - - - internal
>     - - - external
>     - production
>     - - - software
>     - - - - - - tester
>     - - - - - - coder
>     - - - hardware
>     ...


use objectClass 'groupOfNames'

like this:

dn: department=sales,suffix=yoursuffix
objectclass: groupOfNames
member: the-dn-of-one-member
member: the-dn-of-other-member

read the schema files for exact requirements of groupOfNames !

Hope that helps.

Ace




>
> How can I distribute entity from People in the tree groups ?
> Like a person 'Joe' will be in group 'support/external' and in group
> 'production/software/tester' ?
>
> Do you know some place where I can found information about drawing a
> such tree ?
>
> Thanks
> Cyrille

Prev by Date: Upgrading OpenLDAP and Berk DB>
Next by Date: RE: Upgrading OpenLDAP and Berk DB>
Index(es):
- Chronological
- Thread