On Mon, 2004-08-23 at 06:10, Imobach González Sosa wrote: > Hi all, > > We have an OpenLDAP server to authenticate our users. The namespace is divided > into three "organizations": > > ou=Students,ou=Personal,dc=XXX,dc=XXX > ou=Teachers,ou=Personal,dc=XXX,dc=XXX > ou=Administrative,ou=Personal,dc=XXX,dc=XXX > > We have also two IMAP servers: the first one, authenticate users against > "ou=Students". That's right and works fine. But, the other one, have to > authenticate against Teachers and Administrative. So, I need a filter to > search only in those namespaces. > > Is this possible? Any ideas? > > Anyway, I guess that exists different approaches to a solution without > filtering: > > 1) Group Teachers and Administrative in another "ou" and find users in this > new 'ou'. > 2) Flat the hierarchy and pass the "Teachers", "Administrative" or "Students" > to and attribute. > > Any advice concerning this issue? > > Thank you in advance. From my own experience, relying on OUs for classification leads to difficulty, mostly because of users who have multiple classifications, for example, an Administrative member who is also a Teacher. The use of OUs can also lead to administrative overhead, such as moving users around the DIT when their classification changes. My rule-of-thumb has always been to keep things as "flat" as possible, and use attributes/filtering to determine classification. I use OUs only to segregate objects that will never need classification changes -- a computer will never be a person, a printer will never be a classroom, etc. This methodology has worked well for a few years in our ~45,000 user iPlanet Directory (moving to OpenLDAP) and our ~10,000 user Active Directory. Just my $0.02, -Matt -- Matthew J. Smith <matt.smith@uconn.edu> University of Connecticut ITS PGP Key: http://web.uconn.edu/dotmatt/matt.asc
Attachment:
signature.asc
Description: This is a digitally signed message part