[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tree design

On Mon, May 2, 2011 at 10:17 AM, E.S. Rosenberg
<esr+openldap@g.jct.ac.il> wrote:
> Hello all,
> I am considering redoing our LDAP tree since it's current design is fairly
> unfortunate.
> I have read several articles that said that groups should be a general (and
> broad) as possible, and as a result of that the LDAP tree should be as free
> of hierarchy as possible. (An ou for people an ou for machines etc, but no
> ou for Departments).
> The reasoning seems to be that since the design of LDAP is optimized for
> reads and not for writes and managing moves between branches is/was a pain.

Hi Eli, nothing farther from the truth!!! bu then again depends on
what to use your LDAP for. If it's just a stupid backend for Samba or
your MTA then yes, use the KISS.

But if you really want a directory, you should use a structure that
reflects the true nature of your business with as many levels and
complexity as required without _any_ limitations. Your queries won't
be anymore simpler or complex since you always simplify queries with
the adequate attributes. In fact hierarchies will almost always help,
unless off course your needs are just a fast backend for your MTA, or
MS AD emulation needs.

FOSS Products like PHPLDAPAdmin and LAM (LDAP Account manager which
derives almost directly froom the former) are already pre-configured
to work in the stupid People, Machines world of the stupid Microsoft
Active Directory pseudoLDAP crap. You can hoever, EASILY configure any
of them to work with your complex DIT.

If you search the list archives I posted a response to a thread by
mistake and attached an interesting doc on the issue (it's in Spanish