[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control

Quanah Gibson-Mount wrote:

--On December 5, 2007 1:41:49 PM -0500 Nathan Nobbe <quickshiftin@gmail.com> wrote:

i have not read any material on ideal directory layout.  can you refer me
to good
resource?  the design i have created is based only on intuition.  that,
and the schema
reference available in phpLdapAdmin.  truth be told, ive found the
documentation in
the openldap administration guide only marginally helpful.  at least i
havent seen much
in there about ldap itself; the guide seems to presume preexisting
knowledge of ldap;
of which mine is scant :)

Well, there's not hard rule. The general principal is, as flat as possible, as deep as necessary. The problem of course is compounded that bad design decisions at the beginning can haunt you for years. ;)

if i were to have a tree for organizationalUnit objects and another for
objects, what would the ideal root objectClass of those trees?

The root objectClass of a tree really does not have to pertain to the objects contained in that tree. I tend to make my branch roots fairly benign, like:

dn: cn=people,dc=myorg,dc=com objectclass: organizationalRole description: people cn: people

In answer to your question, however, you may find that using sets helps
with some of what you want to do.

what are sets in the context of ldap?

That's an excellent question. Some day they'll be documented,

I don't even have a section placeholder for that yet or even one dedicated to ACLs...hmmm...

Kind Regards,

Gavin Henry.
OpenLDAP Engineering Team.

E ghenry@OpenLDAP.org

Community developed LDAP software.