[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OU Structure

To: openldap-software@OpenLDAP.org
Subject: Re: OU Structure
From: Adam Williams <awilliam@whitemice.org>
Date: Fri, 05 Mar 2004 06:22:12 -0500
In-reply-to: <5.1.0.14.0.20040304084534.00a672b0@mail.flinders.edu.au>
References: <5.1.0.14.0.20040304084534.00a672b0@mail.flinders.edu.au>

> I am at a similar stage with my LDAP deployment, so I'm not an expert, but...
>  From the reading I've done (eg Howes, et al, "Understanding and Deploying 
> LDAP Directory Services" and Carter, "LDAP System Administration" - both 
> highly recommended) it sounds like it's a bad idea to structure your people 
> entries in line with your organisational structure.  

Yep.

> However, you should be able to achieve the access control you want with 
> ACLs in slapd.conf, based on the value of an attribute within the entry.

Use groups to control access.  This is easier to manage, the rules will
be easier to understand, and less mental-twisting will be involved in
training new administrators (Objects whose dn is a "member" of
"cn=Engineering,ou=Access Control,...." can edit the attributes and
objects that Engineering people should be able to edit, etc....)

My two cents.

References:
- Re: OU Structure
  - From: Tim Seeley <tim.seeley@flinders.edu.au>

Prev by Date: Re: Newbie conceptual issues (long)
Next by Date: Config 2.1.25 - won't find ssl.h
Index(es):
- Chronological
- Thread