[Date Prev][Date Next]
Re: OU Structure
> I am at a similar stage with my LDAP deployment, so I'm not an expert, but...
> From the reading I've done (eg Howes, et al, "Understanding and Deploying
> LDAP Directory Services" and Carter, "LDAP System Administration" - both
> highly recommended) it sounds like it's a bad idea to structure your people
> entries in line with your organisational structure.
> However, you should be able to achieve the access control you want with
> ACLs in slapd.conf, based on the value of an attribute within the entry.
Use groups to control access. This is easier to manage, the rules will
be easier to understand, and less mental-twisting will be involved in
training new administrators (Objects whose dn is a "member" of
"cn=Engineering,ou=Access Control,...." can edit the attributes and
objects that Engineering people should be able to edit, etc....)
My two cents.