> -----Ursprüngliche Nachricht----- > Von: Maykel Moya [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 25. September 2007 08:46 > An: Giovanni Baruzzi > Cc: [email protected] > Betreff: Re: AW: [ldap] Tree design review > > El lun, 24-09-2007 a las 12:27 +0200, Giovanni Baruzzi escribió: > > > (Design of the DIT snipped out) > > > The proposed layout is mainly based on remanks from a presentation > > > about > > > tree design at LDAPCon2007. Nevertheless I have a lot of doubts: > > > > > > * What about ou=sync? > > > Not reflected in this design but in the slides. The guy proposed > > > something like > > > ou=users > > > ou=sync > > > uid=foo > > > > > > > A synchronized container is a need for many organization using > > Metadirectory technology. I may leave it off, if don't need it. > > But important point is that you should have AT LEAST one additional > > level under the level (e.g."ou=users") where you set the search base > of > > your applications, to give you freedom to arrange the information > coming > > from different sources, without having to touch the applications. > > Can you give me an example of a potential problem of having users > directly under ou=users? > > I think that if every application always do a subtree search with > ou=users as base DN the user will be located.
You are right, but the problems are not with the applications. What could happen is that, at a later point, you have another class of users that need to use the applications too. They may come from a different source, have different administrators or respond to another hierarchy, or have a different structure of uid an so on. If you have already a further level below your search base, this is normally quite simply solved by defining another container beside the first one, but if you haven't, you end up having to put the new container between the users which prevents you to have different ACLs to access them, just as an example. Regards Giovanni
