The DIT structure you use should be driven by your application needs,
performance considerations, hardware considerations, software
features, and many other things. Using branching, as in your first
example, might be efficacious if you had a large number of users and
intended to use data distribution techniques that are made available
by DSEE, or you wished to keep uid=<username> RDNs in a separate
database for performance and indexing reasons.
On Feb 2, 2009, at 12:09 AM, Matt Juszczak wrote:
I'm configuring an LDAP Directory with three main purposes:
- UNIX Logins & Groups
- LDAP Logins (and groups)
- Web Based application Logins (and groups)
For now, I've got four organizational units:
ou=accounts (Unix accounts)
ou=people (Accounts for web-based apps, etc.)
ou=ldap (Internal LDAP accounts (read/readwrite/etc.)
ou=groups (All groups)
which has come about because of some recent restructing I've been
doing as I add more features. I'd like to clean this up a bit.
Primarily because ALL groups go under ou=groups, whether its a unix
group (PosixGroup), an LDAP group (groupOfNames), etc.
So I'm wondering if I should do something like this:
uid=<username>,ou=users,ou=unix,dc=domain,dc=net
cn=groupname,ou=groups,ou=unix,dc=domain,dc=net
and the same for ou=ldap and ou=people, or just put groups and users
under the same top level and split based on schema:
uid=<username>,ou=unix,dc=domain,dc=net
cn=<group name>,ou=unix,dc=domain,dc=net
What has worked best for you in the past?
Thanks!
-Matt
