[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: About primary key.
first I started to reply in your message but then I quickly realized
you're trying to make LDAP into a relational database. Sorry,
wrong system :).
Just from reading your post, you need to get a copy of a good book
on LDAP first before you try anything. Of course shameless plug, I
recommend mine (Implementing LDAP). But you can also read
"Understanding and Deploying LDAP Directory Servers" and
"Implementing Directory Services (Enterprise Computing)" by
Archie Reed.
Most defintely read at least one of these books before EVEN
thinking about messing with the schema. And never take a way
from the standard schema becuase you might break LDAP tools
you use that expect the standard schema to be a certain way. You
can extend your schema (and delete/modify your extensions), but
don't touch the standard.
It's not a primary key. It's called a Distinguished Name. While it's
similar in function, you need to call things by their correct names
to remove any abuguities.
Second, you're trying to create groups out of a single user. And
group entries together by branches. Bad idea.
Instead put all of your people under a single branch:
dc=abc,dc=com
L ou=people,dc=abc,dc=com
Then create your people entries to have DNs like:
uid=mewilcox,ou=people,dc=abc,dc=com
The reason is that people change roles and with this type of tree
you don't have to change the DNs to cope with those role changes.
You can simply reflect the role changes inside of the entry (ie
either as a value of the ou attribute or your own 'role' attribute).
If you wish to create groups of users, you create groups object.
I prefer a tree like:
dc=abc,dc=com
L ou=groups,dc=abc,dc=com
Then use the groupOfUniquemembers objectclass. You store
members as DN values in the uniquemember attribute like this:
uniquemember:uid=mewilcox,ou=people,dc=abc,dc=com
You can add a 'membergroups' to your schema and add that
attribute to your user entries so that they also contain pointers to
the groups they are members of. It saves lookup time during some
operation. (for example you don't have to search all of the groups to
see what groups they are a member of. you simply just need to
print out the values of the 'membergroups' attribute). I do this to
manage my classes at work (I work for a major university).
Mark
On 8 Dec 00, at 13:01, Guoliang Cao wrote:
> Hi there,
>
> I'm new to ldap and got a lot of question about it. If this is not the
> right place for them, please do let me know.
>
> Is there some good materials about how to create my own schema?
> Because if I'm willing to create my own type and objects, I really
> need to add a
>
> lot of stuffs into the existing schema. And also, I don't want those
> redundant definitions in my ldap server as I want to use the server
> for private or personal use, I don't want to inherit those use not
> specificly for me. Is there a way to remove those types that conflict
> with my own names?
>
> I'm wondering if I can combine several fields as the primary key.
> Suppose I have this structure:
>
> user
> |_ telnetuser
> |_ username=cao, group=users, shell=TCSH, password=no password
>
> I want the ldif like this:
>
> dn: username=lee, group=users, ou=telnetuser, ou=user, o=abc.com
> objectclass: top
> objectclass: telnetuser
> username:lee
> group:users
> shell:Tcsh
>
> I've tried on Netscape Directory Server 4.12, and it fails. Does that
> mean LDAP don't allow this?
>
> Moreover, I hope I can get a subtree when I search in the directory.
> AFAIK, a directory server is organized in a structural way, it should
> also be able to return structural data, like xml does.
>
> I'll really appreciate any comments from you.
>
> Thanks,
> Guoliang
>
>
>
Mark Wilcox
mark@mjwilcox.com
Got LDAP?