--On Friday, September 28, 2007 7:08 PM -0400 Maykel Moya
<[EMAIL PROTECTED]> wrote:
El vie, 28-09-2007 a las 14:22 -0500, Dustin Puryear escribió:
Maykel Moya (lists) wrote:
> I'm in process to switch our auth and mail stuff to LDAP. Below is a
> preliminary DIT design.
>
> --
> sld.cu
> ou=deleted
> uid=deleteduser [inetOrgPerson]
But.. why? I wouldn't use topology to encode this kind of information.
An alternative would be to use an attribute along with an ACL to exclude
a 'deleted/deactivated' record from general searches.
I had the subjective perception that security will be enhanced with
respect to those deleted accounts if they are outside the normal user
container, say, in case of a typo in a search filter.
That was the only argument I had for the ou=deleted. I agree with your
and Quannah's points of not having user accounts hanging wherever in the
DIT.
The ideal solution would be and ACI expressing 'expose entries having
deleted:true only to admins DNs'.
Right, that's the point of using ACLs. Then typo's don't matter in search
filters, because the identity that's searching has to have access to the
entry.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
---
You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
