[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Maintaining information about who owns what..



Hi,

On Sunday 12 December 2004 06:33, fuser9bb@hotpop.com wrote:
> I have two types of entries in our directory: people and accounts. I want
> to be able to easily determine which accounts are owned by which people. (A
> people entry belongs to one actual person, while a person may own several
> accounts.) The current thinking is to use a local objectclass and attribute
> (localAccount). So we may have:
>
> dn: cn=123,...
> objectClass: inetOrgPerson
> objectClass: localPerson
> cn=123
> localAccount: uid=abc,...
> localAccount: uid=efg,...
>
> And our account:
>
> dn: uid=abc,...
> objectClass: inetOrgPerson
> objectClass: localAccount
> uid=abc
> localPerson: cn=123,...
>
> This way its easy to map back and forth between entries.
>
> I would think that locating which accounts belong to which people is a
> common occurance. It can be difficult to enforce a one person/one account
> rule in many organizations.
>
> Better suggestions?

In our coprorate directory we faced the sam problem.
We solved it using attributes that uniquely identify people and accounts
and storing the attribute values of the appropriate partner objects
in the people & account objects.

This way we were able to
* have two separate directories for people and accounts
  (the directory product - it is not OL - enforces referential
  integrity on any DN valued attribute, thus restricting us to
  non-DN valued attributes)
* move people between companies
  (to simplify ACLs the people directory is organized by companies)

We enforcethe referential integrity using syncronisation procedures
between the directories

Hope it helps
Peter
-- 
Peter Marschall
eMail: peter@adpm.de