[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Directory layout help

To: Hung Luu <hung.n.luu@gmail.com>
Subject: Re: Directory layout help
From: Jonathan Clarke <jonathan@phillipoux.net>
Date: Sun, 10 Jan 2010 03:12:19 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <a730b3151001091419g51394bd9va0b55e9269500010@mail.gmail.com>
References: <a730b3151001091152s7a11bf0bmd54ff57b960d8c00@mail.gmail.com> <4B48F419.3050807@stroeder.com> <a730b3151001091419g51394bd9va0b55e9269500010@mail.gmail.com>
User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.1b4pre) Gecko/20090423 Shredder/3.0b3pre

On 09/01/10 23:19, Hung Luu wrote:



2010/1/9 Michael Ströder <michael@stroeder.com
<mailto:michael@stroeder.com>>

    Hung Luu wrote:
     > Suppose I have the following DN's:
     >
     > inetOrgPerson:
     > [uid=alice,dc=example,dc=com]
     >
     > organizationalRole:
     > [cn=manager,ou=groups,dc=example,dc=com]
     > [cn=supervisor,ou=groups,dc=example,dc=com]
     >
     > locality:
     > [l=phoenix,ou=division,dc=example,dc=com]
     > [l=portland,ou=division,dc=example,dc=com]
     >
     > How can I store in my directory the fact that Alice is a manger
    at the
     > Phoenix division, but she is only a supervisor at the Portland
    division?
     > I know group membership is involved here, but what's the best way to
     > represent that group membership to optimize searches such as:
    Return all
     > the people with a specific role at a specific locality, or return all
     > the roles and localities for a person.

    You could also use slapo-memberof to populate the member entries with a
    back-reference to the group entries which make some queries a lot
    easier.

    Ciao, Michael.


Suppose I have a group of roles and a group of localities, so that I
have the following representation of group membership:

[cn=manager,ou=groups,dc=example,dc=com]
member: uid=alice,ou=people,dc=example,dc=com

[cn=supervisor,ou=groups,dc=example,dc=com]
member: uid=alice,ou=people,dc=example,dc=com

[l=phoenix,ou=divisions,dc=example,dc=com]
member: uid=alice,ou=people,dc=example,dc=com

[l=portland,ou=divisions,dc=example,dc=com]
member: uid=alice,ou=people,dc=example,dc=com

How will slapo-memberof tell me which role Alice has at which locality?
What would the query look like?


You could have groups under each location, like :
[l=phoenix,ou=divisions,dc=example,dc=com]
[cn=managers,l=phoenix,ou=divisions,dc=example,dc=com]
member: uid=alice,ou=people,dc=example,dc=com

[l=portland,ou=divisions,dc=example,dc=com]
[cn=supervisors,l=phoenix,ou=divisions,dc=example,dc=com]
member: uid=alice,ou=people,dc=example,dc=com

And then memberOf would show these groups.

Or, you could just store managers and supervisors as attribute values inthe location's entry, and use a dynamic group to get a list of all manager.

Dynamic groups look promising, but would I have to create a dynamic
group for each user-role mapping? Using cn=config, I should be able to
add new dynamic groups on the fly without restarting slapd?

Yes. You may need to load the overlay as a module, if you don't have itcompiled in statically, then add the overlay config object under yourdatabase.


Regards,
Jonathan
--
--------------------------------------------------------------
Jonathan CLARKE - jonathan@phillipoux.net
4 avenue d'Epremesnil, 78400 Chatou, France

Mobile: +33 (0)6 99 60 03 10
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------

References:
- Directory layout help
  - From: Hung Luu <hung.n.luu@gmail.com>
- Re: Directory layout help
  - From: Michael Ströder <michael@stroeder.com>
- Re: Directory layout help
  - From: Hung Luu <hung.n.luu@gmail.com>

Prev by Date: Re: Directory layout help
Next by Date: problem configuring overlay module and cn=config
Index(es):
- Chronological
- Thread