[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: DIT structure advice


On 08/18/2011 10:46 AM, Olivier wrote:

My primary goal with an openldap directory is to store information
to manage people authentification and autorisation to resources on
my local network. But I also feel this directory to be a cool opportunity
to maintain a registry that would include administrative information such
as telephone number.

Here is the DIT structure that I plan to deploy to to do that.

If anyone has a comment or advice I would be grateful !

Summary :
                    |  STAFF=organizationalUnit  |
                   _____| | |  | | |  | | |  ->  [ one entry per employee ]
  |  John Doe=inetOrgPerson | ->  [administrative data such as tel number]
  | doe=posixAccount |            ->  [ uid, password on so on ]

What a reason for split user account data to two objects?



Staff is a branch of people :

# Entry 1: ou=staff,ou=people,dc=example,dc=fr
dn: ou=staff,ou=people,dc=example,dc=fr
objectclass: organizationalUnit
objectclass: top
ou: staff

that contains as many inetOrgPerson as I have people
in staff (here are recorded administrative data such as
telephone number and so on) :

# Entry 12: uid=doe,ou=staff,ou=people,dc=example,dc=fr
dn: sn=doe,ou=staff,ou=people,dc=example,dc=fr
sn: doe
cn: john doe
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson

Each "inetOrgPerson" may also have a "posixAccount" child
that record information usable to access resources :

dn: uid=doe,sn=doe,ou=staff,ou=people,dc=example,dc=fr
cn:  john doe
gidnumber: 1800
homedirectory: /home/doe
loginshell: /bin/tcsh
objectclass: account
objectclass: posixAccount
objectclass: top
objectclass: shadowAccount
uid: doe
uidnumber: 510
userpassword: {SSHA}***********************