On Mon, 2009-02-02 at 00:09 -0500, Matt Juszczak wrote:
> I'm configuring an LDAP Directory with three main purposes:
> - UNIX Logins & Groups
> - LDAP Logins (and groups)
> - Web Based application Logins (and groups)
> For now, I've got four organizational units:
> ou=accounts (Unix accounts)
> ou=people (Accounts for web-based apps, etc.)
> ou=ldap (Internal LDAP accounts (read/readwrite/etc.)
> ou=groups (All groups)
> which has come about because of some recent restructing I've been doing as
> I add more features. I'd like to clean this up a bit. Primarily because
> ALL groups go under ou=groups, whether its a unix group (PosixGroup), an
> LDAP group (groupOfNames), etc.
> So I'm wondering if I should do something like this:
> uid=<username>,ou=users,ou=unix,dc=domain,dc=net
> cn=groupname,ou=groups,ou=unix,dc=domain,dc=net
> and the same for ou=ldap and ou=people, or just put groups and users under
> the same top level and split based on schema:
> uid=<username>,ou=unix,dc=domain,dc=net
> cn=<group name>,ou=unix,dc=domain,dc=net
> What has worked best for you in the past?
We have
{Base}
{Base},ou=SAM
{Base},ou=Groups
{Base},ou=Entities
{Base},ou=Entities,ou=People
{Base},ou=Entities,ou=System Accounts
It is nice for [the fairly common] stupid application that just lets you
define an LDAP base for users *and* groups; we can give the application
"{Base},ou=SAM" and it can find both groups and users under one search
point without having to give it the root of the entire Dit (as the Dit
contains tons of other stuff). Separating users [aka People] and system
accounts makes writing (and reading) ACLs a bit easier for us.
