Details were in short supply in that original email, agreed.
I'm a little confused why the traditional roles or group membership model won't work here? I can see the need to create an aux or even structural objectclass for the application information, but assigning rights should be a snap and could use what is already there. Or am I missing something? > "Wessel Louwris" <[EMAIL PROTECTED]> writes: > >> Hi, >> >> I have some trouble designing an LDAP model. I have to setup something >> in which I can lookup what >> right a person has to access a certain module. >> This has to be generic in respect of where the peoples/groups are >> stored in the directory. So it >> could be implemented in different LDAP organisations. >> >> I came up with the following: >> * a structural myModule class with some text attributes (version) >> * a structural myMember class with one text attribute which describes >> the access and a link to a user >> /group somewhere in the directory >> >> Now I make a hierarchy like: >> cn=moduleA,ou=Modules : with a myVersion text attribute >> cn=user1,cn=moduleA,ou=Modules : with myMode (read/write etc string) >> attribute and myTargetDN DN >> attribute which points somewhere. >> >> Attached are the schema & ldif sample (all created with the Apache DS >> eclipse plugins) >> >> My questions are: >> * does this make any sense. Or is there hardly anything to say about it >> without the exact project >> information etc > > As you don't describe your project it is hard to comment on your > schema. But you may face some problems as your objectclass myModule > requires the attribute type commonName, depending on your directory > vendor, you may have to include an other structural objectclass. > >> * can I put an index on the myTargetDN? Because this one will be >> searched for mostly I think: 'is >> current user allowed to access this module. > > You only can create an equality index, as this attribute type provides no > substring rules. > >> * should I make more use of auxiliary classes? (couldn't find a decent >> structural class where I could >> base myModule on) > > It has always been good practice to design based on standard track > objectclasses and extend classes to individual requirements. > >> * Any ideas on where can I find more info about LDAP modelling? (besides >> this mailing list ;-) > > http://www.guug.de/veranstaltungen/ldapcon2007/slides/Design-of-a-Directory-Information-Tree-presentation.pdf > > -Dieter > > -- > Dieter Klünter | Systemberatung > http://www.dpunkt.de/buecher/2104.html > GPG Key ID:8EF7B6C6 > 53°08'09,95"N > 10°08'02,42"E > > > -- > This message was scanned by ESVA and is believed to be clean. > Click here to report this message as spam. > http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id= > > > -- Dustin Puryear President and Sr. Consultant Puryear Information Technology, LLC 225-706-8414 x112 http://www.puryear-it.com Author, "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices/
