Just on a general note, I'd say this is a fairly poor design decision.
i have not read any material on ideal directory layout. can you refer me to good
resource? the design i have created is based only on intuition. that, and the schema
reference available in phpLdapAdmin. truth be told, ive found the documentation in
the openldap administration guide only marginally helpful. at least i havent seen much
in there about ldap itself; the guide seems to presume preexisting knowledge of ldap;
of which mine is scant :)
Given the way that people often shift organizations, or work for more then
one, I've found that putting organizations in their own tree, and then
people in their own tree works a lot better, and makes ACLs easier.
in our circumstance i think it will be rare that people will work for multiple organizations.
if there is such a case then we have bad data in our application. however, we will be
driving updates of the ldap directory through a proprietary cms. this system will then
dispatch the changes in the sql schema behind the app to the ldap directory.
synchronization will only be in this direction.
my understanding is that this is a common use of ldap. we only want to expose access to
some of the data in our sql database through ldap. am i of the wrong impression?
if i were to have a tree for organizationalUnit objects and another for organizationalPerson
objects, what would the ideal root objectClass of those trees?
In answer to your question, however, you may find that using sets helps
with some of what you want to do.