[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap newbie/first post

Hi everyone,

You know, it's amazing how rare, it seems, strong LDAP-fu is in the
world.  It's almost as hard to find an LDAP-guru as it is to find,
say, a multivalue database guru, or someone really keen on on the pick
operating system!

First of all, please note:  I am running the latest version of
openLdap on Debian...

Anyway, here goes:
I run the IT dept. for the NY Botanical Garden

Here are some statistics:

o there are maybe a dozen divisions

o there are approximately 40 departments

o some divisions are concatenations of several departments

o some divisions can be considered both divisions AND departments in the
same entity because they are only comprised of one 'department' but
the departmental head signs off as 'division head'.

Maybe the way to envision it is that there are divisions and there are
sub-divisions... divisions are either standalone divisions or
divisions may encompass 2 or more sub-divisions...

o there are approx. 530 employees, most of whom are users on the network
and most of whom have an email address and an extension

o there are approx. 40 servers and 600 workstations... [n] fax machines,
[nn] printers..etc..

o there are switches, routers, hubs, other networking equipment..etc.


Here are some things i'd like to see as part of our LDAP implementation:

there needs to be a class of people who are admins or managers over
the whole directory.

within each division and sub-division there should be a designated
admin who can, within, his/her division or sub-division, make changes
to the people records in his/her area..

only IT staff should be managing accounts and 'assets' (computers,
printers, switches, etc...)

So...  I'm trying to figure out how best to set up the LDAP directory:

the container is:  dc=nybg,dc=org

how many organizational units would the people here  recommend?

ou=assets to contain computers, switches, faxes, printers, etc..? 

ou= accounts to contain accounts?

ou= divisions to contain just divisions? or divisions and sub-divisions?...

You can see I'm already overwhelmed.. 

the good news is i'm in the middle of reading Brian Arkills' book
"LDAP Directories Explained"..
but I would still love some advice from those of you who've had to
deploy these things in the real world.

I realize there's more than one right way to do these things but, the
fact is, i currently have no one really knowledgeable with whom I can
even discuss this challenge...  so a friend of mine on the GNHLUG list
suggested I post here.

Thanks in advance for any advice...