thanks for your reply Quanah. On Dec 5, 2007 1:26 PM, Quanah Gibson-Mount <[EMAIL PROTECTED]> wrote:
> Just on a general note, I'd say this is a fairly poor design decision. i have not read any material on ideal directory layout. can you refer me to good resource? the design i have created is based only on intuition. that, and the schema reference available in phpLdapAdmin. truth be told, ive found the documentation in the openldap administration guide only marginally helpful. at least i havent seen much in there about ldap itself; the guide seems to presume preexisting knowledge of ldap; of which mine is scant :) Given the way that people often shift organizations, or work for more then > one, I've found that putting organizations in their own tree, and then > people in their own tree works a lot better, and makes ACLs easier. in our circumstance i think it will be rare that people will work for multiple organizations. if there is such a case then we have bad data in our application. however, we will be driving updates of the ldap directory through a proprietary cms. this system will then dispatch the changes in the sql schema behind the app to the ldap directory. synchronization will only be in this direction. my understanding is that this is a common use of ldap. we only want to expose access to some of the data in our sql database through ldap. am i of the wrong impression? if i were to have a tree for organizationalUnit objects and another for organizationalPerson objects, what would the ideal root objectClass of those trees? In answer to your question, however, you may find that using sets helps > with some of what you want to do. > what are sets in the context of ldap? thanks, -nathan
