[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapadd error

Quanah Gibson-Mount wrote:

Most sites (and graphical browsers) understand "ou" to be a generic
folder and as a common usage it makes sense. I recommend against using
"cn" to name everything; that negates one of the advantages of the
directory naming structure. I.e., use naming attributes that are distinct
and indicative of the type of object being named, so you can tell what an
object is just by looking at the name, and not needing to look inside the
entry. Overuse of the "cn" attribute is a common mistake in LDAP

I absolutely disagree. Using "ou" is a violation of the meaning of the attribute, and I've not had any issues with LDAP browsers using it. "ou" should never be considered a generic container, especially if you are going to be using and configuration organizations inside of an LDAP directory. Just because a bad practice has been used for a long period of time does not make it a good practice.
This discussion probably belongs on the general LDAP list.

1) the main point is that overusing/misusing "cn" is bad.
2) we both agree that misusing attributes (outside their designated purpose) is bad.
3) in practice, political structures are not well suited to a hierarchical directory structure. If you're going to talk about bad practices, start there. Once you recognize that "organization" and org charts make no sense in the directory space, you see that the political meaning of "organizational unit" is useless and it's just a "unit" as in "an atom for organizing information."

 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/